2x authorize_check_query
Hi All!
It's a situation in which i have two authorize_check_query.
I'm using pppoe+sql and I also want to implement dhcp.
But the thing is that when dhcp nas asks freeradius it uses mac
address as username.
So i want sth like two sql { } sections with two different
authorize_check_query for two different auth types.
Sorry for my lame eng.
Big thanks!
--
Pozdrawiam!
Maciej Drobniuch
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-MSCHAP v2 + LDAP: Identity does not match User-Name, setting from EAP Identity.
Switch to the newsiest freeradius version. Maybe it will help. 2010/6/2 Andras Dosztal adosz...@gmail.com: Hi, I've configured FreeRADIUS (version 1.1.7, supplied with SLES10) to authenticate from Novell eDirectory with LDAP. The problem is that I can't connect to the network when I check the Automatically use my Windows logon name and password on a WinXP client's PEAP properties. This is the output of radiusd -A -X: rad_recv: Access-Request packet from host 10.128.128.3:1812, id=15, length=194 User-Name = E00\\user1 Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = 00-26-CA-8D-A7-85 Calling-Station-Id = 00-0B-CD-04-75-8C Attr-102 = 0x NAS-Port-Type = Ethernet NAS-Port = 50005 NAS-Port-Id = FastEthernet0/5 NAS-IP-Address = 10.128.128.1 EAP-Message = 0x0201000e014530305c7573657231 Proxy-State = 0x280646014009a74212c6bb2daec4f3110aa90d1af235 Message-Authenticator = 0x928d46624aad188e71d3c6bbd88af6f1 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 modcall[authorize]: module chap returns noop for request 0 modcall[authorize]: module mschap returns noop for request 0 rlm_realm: No '@' in User-Name = user1, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 0 rlm_eap: EAP packet type response id 1 length 14 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 0 users: Matched entry user1 at line 88 modcall[authorize]: module files returns ok for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for user1 radius_xlat: '(uid=user1)' radius_xlat: 'o=snac' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to 10.128.128.5:636, authentication 0 rlm_ldap: setting TLS mode to 1 rlm_ldap: setting TLS CACert File to /etc/raddb/certs/ip_cert.b64 rlm_ldap: bind as cn=admin,o=snac/xxx to 10.128.128.5:636 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in o=snac, with filter (uid=user1) rlm_ldap: checking if remote access for user1 is allowed by dialupAccess rlm_ldap: Added the eDirectory password in check items rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user user1 authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns ok for request 0 rlm_pap: Found existing Auth-Type, not changing it. modcall[authorize]: module pap returns noop for request 0 modcall: leaving group authorize (returns updated) for request 0 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_eap: Identity does not match User-Name, setting from EAP Identity. rlm_eap: Failed in handler modcall[authenticate]: module eap returns invalid for request 0 modcall: leaving group authenticate (returns invalid) for request 0 auth: Failed to validate the user. Login incorrect: [user1/no User-Password attribute] (from client lan port 50005 cli 00-0B-CD-04-75-8C) Found Post-Auth-Type Processing the post-auth section of radiusd.conf modcall: entering group REJECT for request 0 modcall[post-auth]: module ldap returns noop for request 0 modcall: leaving group REJECT (returns noop) for request 0 Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 15 to 10.128.128.3 port 1812 Proxy-State = 0x280646014009a74212c6bb2daec4f3110aa90d1af235 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 15 with timestamp 4c06337d Nothing to do. Sleeping until we see a request. The with_ntdomain_hack directive is set to yes in the preprocess and mschap modules of radiusd.conf. When I set it to no and uncheck the Automatically use my Windows... and enter the user's credentials in a pop-up box, it's working fine. Could you guys help me with this problem? Thanks in advance. Regards, Andras - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Pozdrawiam! Maciej Drobniuch - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-MSCHAP v2 + LDAP: Identity does not match User-Name, setting from EAP Identity.
In freeradius 2.x use ClearText-Password instead of User-Password! 2010/6/2 Andras Dosztal adosz...@gmail.com: I've upgraded to 2.1.8, but now I can't even authenticate with the pop-up box. Debug output: http://pastebin.ca/1875922 Regards, Andras On Wed, 02 Jun 2010 12:35:11 +0200, Maciej Drobniuch mac...@drobniuch.pl wrote: Switch to the newsiest freeradius version. Maybe it will help. 2010/6/2 Andras Dosztal adosz...@gmail.com: Hi, I've configured FreeRADIUS (version 1.1.7, supplied with SLES10) to authenticate from Novell eDirectory with LDAP. The problem is that I can't connect to the network when I check the Automatically use my Windows logon name and password on a WinXP client's PEAP properties. This is the output of radiusd -A -X: [...] The with_ntdomain_hack directive is set to yes in the preprocess and mschap modules of radiusd.conf. When I set it to no and uncheck the Automatically use my Windows... and enter the user's credentials in a pop-up box, it's working fine. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Pozdrawiam! Maciej Drobniuch - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-MSCHAP v2 + LDAP: Identity does not match User-Name, setting from EAP Identity.
If you are using users file, you have it located there. exp: testuser Cleartext-Password := test123 2010/6/2 Andras Dosztal adosz...@gmail.com: Sorry for the dumb question, but where can I configure that? On Wed, 02 Jun 2010 13:34:29 +0200, Maciej Drobniuch mac...@drobniuch.pl wrote: In freeradius 2.x use ClearText-Password instead of User-Password! 2010/6/2 Andras Dosztal adosz...@gmail.com: I've upgraded to 2.1.8, but now I can't even authenticate with the pop-up box. Debug output: http://pastebin.ca/1875922 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Pozdrawiam! Maciej Drobniuch - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-MSCHAP v2 + LDAP: Identity does not match User-Name, setting from EAP Identity.
I'm not using ldap(and i've never used before) so try to find some where the variable User-Password and replace it with ClearText-Password. 2010/6/2 Andras Dosztal adosz...@gmail.com: I'm using LDAP with an eDirectory backend. On Wed, 02 Jun 2010 16:26:19 +0200, Maciej Drobniuch mac...@drobniuch.pl wrote: If you are using users file, you have it located there. exp: testuser Cleartext-Password := test123 2010/6/2 Andras Dosztal adosz...@gmail.com: Sorry for the dumb question, but where can I configure that? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Pozdrawiam! Maciej Drobniuch - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius 2.x EAP-MSCHAPv2 + MySQL
Hi ALL!! I'm trying to get authenticated with mikrotik wireless AP. All works but only when I add the user into the users file. The thing is that i want to get the users from mysql. In this moment the authentication requests are coming from PPPoE concentrator, and the users are in MySQL database - it works fine. The freeradius server while authenticating is not searching in the sql database. Why that? Please help and sorry for my lame eng. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius 2.x EAP-MSCHAPv2 + MySQL
My NAS-es are located in the clients file and they are working fine with pppoe auth. 2010/5/19 dorra aa dj_dido2...@hotmail.com: hi, in sql.conf did you modify that line :readclients = no to readclients = yes ? Date: Wed, 19 ! May 2010 13:52:59 +0200 Subject: freeradius 2.x EAP-MSCHAPv2 + MySQL From: mac...@drobniuch.pl To: freeradius-users@lists.freeradius.org Hi ALL!! I'm trying to get authenticated with mikrotik wireless AP. All works but only when I add the user into the users file. The thing is that i want to get the users from mysql. In this moment the authentication requests are coming from PPPoE concentrator, and the users are in MySQL database - it works fine. The freeradius server while authenticating is not searching in the sql database. Why that? Please help and sorry for my lame eng. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Hotmail: Trusted email with powerful SPAM protection. Sign up now. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Pozdrawiam! Maciej Drobniuch - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Restricting access to NAS via http login authentication list
i think that only the NAS has the power to decide it. RADIUS sends only the accounts 2010/5/19 Peter Carlstedt pc_...@hotmail.com: Hello, Didnt really know what kind of title I should have given this one but I will try to explain what it is I am aiming for. The switches I use supports both http and https login towards the switch to administrate it. The switch has support for using an athentication towards a radius server to check if the user wanting to login to the switch is a existing user in the radius server. The problem I have is that every user in the user file in Freeradius can access the switch when im using an authentication list which checks against the radius server. Is there anyway to restrict so that only one specific user in the users file can get access to the NAS? Best regards/ Peter Carlstedt Hotmail: Trusted email with Microsoft’s powerful SPAM protection. Sign up now. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Pozdrawiam! Maciej Drobniuch - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius 2.x EAP-MSCHAPv2 + MySQL
= 0x
State = 0xbd4bf931ba42e07726e24ebbe3a70713
Finished request 25.
Going to the next request
Waking up in 4.7 seconds.
rad_recv: Access-Request packet from host 93.175.129.30 port 34473,
id=48, length=186
Service-Type = Framed-User
Framed-MTU = 1400
User-Name = mario
State = 0xbd4bf931ba42e07726e24ebbe3a70713
NAS-Port-Id = wlan1
Calling-Station-Id = 00-24-23-05-18-62
Called-Station-Id = 00-0E-8E-12-5C-0B:PROV
EAP-Message =
0x0209002b190017030100206a58c78b2bc64359b7abccfc8811c5f762ad6a538bdc50e41414c76c5e1253be
Message-Authenticator = 0x7a4f0112fc90130c87304c87def0ef94
NAS-Identifier = MikroTik
NAS-IP-Address = 192.168.1.141
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = mario, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[eap] EAP packet type response id 9 length 43
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Received EAP-TLV response.
[peap] Had sent TLV failure. User was rejected earlier in this session.
[eap] Handler failed in EAP/peap
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} - mario
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 26 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
rad_recv: Access-Request packet from host 93.175.129.30 port 34473,
id=48, length=186
Waiting to send Access-Reject to client PROV -EST port 34473 - ID: 48
Waking up in 0.6 seconds.
2010/5/19 Maciej Drobniuch mac...@drobniuch.pl:
My NAS-es are located in the clients file and they are working fine
with pppoe auth.
2010/5/19 dorra aa dj_dido2...@hotmail.com:
hi,
in sql.conf did you modify that line :readclients = no to
readclients = yes ?
Date: Wed, 19 ! May 2010 13:52:59 +0200
Subject: freeradius 2.x EAP-MSCHAPv2 + MySQL
From: mac...@drobniuch.pl
To: freeradius-users@lists.freeradius.org
Hi ALL!!
I'm trying to get authenticated with mikrotik wireless AP. All works
but only when I add the user into the users file.
The thing is that i want to get the users from mysql.
In this moment the authentication requests are coming from PPPoE
concentrator, and the users are in MySQL database - it works fine.
The freeradius server while authenticating is not searching in the sql
database. Why that?
Please help and sorry for my lame eng.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
Hotmail: Trusted email with powerful SPAM protection. Sign up now.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
--
Pozdrawiam!
Maciej Drobniuch
--
Pozdrawiam!
Maciej Drobniuch
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius 2.x EAP-MSCHAPv2 + MySQL
Maybe you did not understand me, but when the mario user is in files all works fine but when not the freeradius isn't asking the sql. I'm using EAP PEAP MSCHAPv2 The sql is enabled and it works fine with pap,chap,mschap, mschapv2 on pppoe concentrators, but while using EAP it isn't working. Here is the whole debug: http://testowy.langw.net/text.txt 2010/5/19 Alan DeKok al...@deployingradius.com: Maciej Drobniuch wrote: The freeradius server while authenticating is not searching in the sql database. Why that? You didn't configure it. What does the debug log say? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Pozdrawiam! Maciej Drobniuch - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius 2.x EAP-MSCHAPv2 + MySQL
Thanks Alan, I did not knew about the inner-tunnel.
Now everything works fine.
BIG THANKS TO ALL!!
2010/5/19 Alan DeKok al...@deployingradius.com:
Maciej Drobniuch wrote:
Maybe you did not understand me, but when the mario user is in files
all works fine but when not the freeradius isn't asking the sql.
Because you didn't configure it to ask SQL.
I'm using EAP PEAP MSCHAPv2
Did you edit raddb/sites-available/inner-tunnel?
The sql is enabled
Where?
Here is the whole debug: http://testowy.langw.net/text.txt
Can you read it?
[mschap] No Cleartext-Password configured. Cannot create LM-Password.
[mschap] No Cleartext-Password configured. Cannot create NT-Password.
This is pretty obvious. Now read *backwards* from that. You'll see
that there's no mention of SQL, but there is some text:
Sending tunneled request
EAP-Message = ...
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = mario
State = 0x66cdb16066c5abec558fec6768936d41
server inner-tunnel {
It's telling you that it's running the inner-tunnel virtual server.
Did you edit it? It looks like you didn't.
Should you edit it? Absolutely.
Alan DeKok.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
Pozdrawiam!
Maciej Drobniuch
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Mikrotik as NAS with PPPoE - checkval
Hi! I want to bind a login with Calling-Station-Id but i've got problems... *I've had added the Calling-Station-Id to mysql radcheck table. *I've had turned on the rlm_checkval by adding it into authorize section *I've had set the notfound-reject variable to yes I get the following errors in debug: rlm_checkval: Item Name: Calling-Station-Id, Value: 00:11:22:33:44:55 rlm_checkval: Could not find attribute named Calling-Station-Id in check pairs ++[checkval] returns notfound What is the problem? Please help! Thanks for all!!! -- Maciej Drobniuch - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Mikrotik as NAS with PPPoE - checkval
I want to check by the pppd 3 attributes that must match: -Login -Password -MAC Address So if someone on another machine who uses the login and the password will be rejected. The mikrotik NAS doc shows that there is a Calling-Station-ID http://www.mikrotik.com/testdocs/ros/2.9/guide/aaa_radius.php I want EVERYONE to be checked for the calling station id. Thank you for the reply. On Wed, 20 Aug 2008 11:26:05 +0100, Ivan Kalik [EMAIL PROTECTED] wrote: I want to bind a login with Calling-Station-Id but i've got problems... *I've had added the Calling-Station-Id to mysql radcheck table. *I've had turned on the rlm_checkval by adding it into authorize section *I've had set the notfound-reject variable to yes I get the following errors in debug: rlm_checkval: Item Name: Calling-Station-Id, Value: 00:11:22:33:44:55 rlm_checkval: Could not find attribute named Calling-Station-Id in check pairs ++[checkval] returns notfound What is the problem? Why do you need checkval? User will be rejected if there is no Calling-Station-Id in the request anyway since you have that attribute in radcheck. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Maciej Drobniuch - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Mikrotik as NAS with PPPoE - checkval
Thank you for the reply but you did miss the point of Calling-Station-ID Greetz! On Wed, 20 Aug 2008 12:05:58 +, Santiago Balaguer García [EMAIL PROTECTED] wrote: Yes, you needn't. What you need is to create a normal user account and add these attributes in radreply: Framed-Protocol = PPP, Framed-IP-Address = 10.0.0.x, Framed-IP-Netmask = 255.255.255.0, Be carefull because you have to modify the ppp profiles in the Mikrotik client in the option /ppp profiles. You have to set the remote address with the PPP gateway. See the next explample where my PPP gateway is 10.200.0.10 /ppp profile set default change-tcp-mss=yes comment= name=default only-one=default \remote-address=10.200.0.10 use-compression=default use-encryption=default \use-vj-compression=default you set the pptp/l2tp client with this profile when you insert the username/password. You needn't to add Dafault route. If you need mor help, ask for and I will send you my manual in Spanish. Sanitago To: freeradius-users@lists.freeradius.org Subject: Re: Mikrotik as NAS with PPPoE - checkval Date: Wed, 20 Aug 2008 11:26:05 +0100 From: [EMAIL PROTECTED] I want to bind a login with Calling-Station-Id but i've got problems... *I've had added the Calling-Station-Id to mysql radcheck table. *I've had turned on the rlm_checkval by adding it into authorize section *I've had set the notfound-reject variable to yes I get the following errors in debug: rlm_checkval: Item Name: Calling-Station-Id, Value: 00:11:22:33:44:55 rlm_checkval: Could not find attribute named Calling-Station-Id in check pairs ++[checkval] returns notfound What is the problem? Why do you need checkval? User will be rejected if there is no Calling-Station-Id in the request anyway since you have that attribute in radcheck. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html _ Nuevo Canal Messenger http://www.vivelive.com/ilovemessenger/ -- Maciej Drobniuch - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Mikrotik as NAS with PPPoE - checkval
It works now properly! BIG THANKS! On Wed, 20 Aug 2008 14:40:12 +0200, Marinko Tarlac [EMAIL PROTECTED] wrote: id - username - attribute - op 1139 gojko Calling-Station-Id 00:50:70:AE:04:54 == Mikrotik wants uppercase MAC address and OP must be == It works for me and you need to insert this in radcheck table On Wed, Aug 20, 2008 at 2:34 PM, Maciej Drobniuch [EMAIL PROTECTED]wrote: Thank you for the reply but you did miss the point of Calling-Station-ID Greetz! On Wed, 20 Aug 2008 12:05:58 +, Santiago Balaguer García [EMAIL PROTECTED] wrote: Yes, you needn't. What you need is to create a normal user account and add these attributes in radreply: Framed-Protocol = PPP, Framed-IP-Address = 10.0.0.x, Framed-IP-Netmask = 255.255.255.0, Be carefull because you have to modify the ppp profiles in the Mikrotik client in the option /ppp profiles. You have to set the remote address with the PPP gateway. See the next explample where my PPP gateway is 10.200.0.10 /ppp profile set default change-tcp-mss=yes comment= name=default only-one=default \remote-address=10.200.0.10 use-compression=default use-encryption=default \use-vj-compression=default you set the pptp/l2tp client with this profile when you insert the username/password. You needn't to add Dafault route. If you need mor help, ask for and I will send you my manual in Spanish. Sanitago To: freeradius-users@lists.freeradius.org Subject: Re: Mikrotik as NAS with PPPoE - checkval Date: Wed, 20 Aug 2008 11:26:05 +0100 From: [EMAIL PROTECTED] I want to bind a login with Calling-Station-Id but i've got problems... *I've had added the Calling-Station-Id to mysql radcheck table. *I've had turned on the rlm_checkval by adding it into authorize section *I've had set the notfound-reject variable to yes I get the following errors in debug: rlm_checkval: Item Name: Calling-Station-Id, Value: 00:11:22:33:44:55 rlm_checkval: Could not find attribute named Calling-Station-Id in check pairs ++[checkval] returns notfound What is the problem? Why do you need checkval? User will be rejected if there is no Calling-Station-Id in the request anyway since you have that attribute in radcheck. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html _ Nuevo Canal Messenger http://www.vivelive.com/ilovemessenger/ -- Maciej Drobniuch - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Maciej Drobniuch - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to assign default gatway?
It's possible when you are using PPPoE, but it's rather not posible to do that with freeradius(or any radius) On Thu, 7 Aug 2008 13:25:05 -0400, Xiaochen Jing [EMAIL PROTECTED] wrote: Hello all, Is that possible to assign users a default gateway while allocating dynamic IP addresses from IP pool? Thank you -- Maciej Drobniuch - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_chap: Password check failed
Hi! I have a problem with chap authorization. PAP works fine but chap gives out this output: http://paste-it.net/public/id5f751/ Thanks! -- Maciej Drobniuch - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to configure radius server
http://wiki.freeradius.org/HOWTO http://www.google.com It also depends on what do you want to bind with freeradius and what auth. mech. do you want to use. Just use uncle google ;] On 15 Jul 2008 06:37:18 -, Sandeep [EMAIL PROTECTED] wrote: Hi, all members of free radius..I install fras fedora9 and want to make radius server but i am new in this field is any body help me to do this. first of all please provide me step to step tutorials so that i can read it and install configure my server .. with testing PLEASE HELP ME Sandeep rohilla -- Maciej Drobniuch - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Compiling client PAM files on Mac OS
1. Are all dependencies and includes satisfied? If yes, try moving them from a *nix system and put them into your build dir(edit properly pam_rad source code). [a guess] 2. If you are not a coder then you are located in a blackhole. 3. IMHO it's better to use slackintosh(http://workaround.ch/) than MacOSX. 4. Try to search over the net once more. On Tue, 15 Jul 2008 10:02:22 +0200, Nicolas Goutte [EMAIL PROTECTED] wrote: Am 14.07.2008 um 17:09 schrieb Paul Goodman: Sorry, but this doesn't really help me very much. Are you saying that because Mac OS is neither BSD nor GNU, the client files cannot be compiled? If there is a way to get them compiled, what is it? Sorry, I cannot help more, as neither I am the developer who worte the code nor I have time to look at the problem. I have only tried to give hints to where the problem could be. I am sorry if that is too short for you. Have a nice day! Nicolas Goutte wrote: Am 10.07.2008 um 18:28 schrieb Paul Goodman: Does anyone have some hacks to enable a clean compile on Mac OS X? When I try to run make, I get the following compile errors: cc -Wall -fPIC -c pam_radius_auth.c -o pam_radius_auth.o pam_radius_auth.c: In function ‘get_random_vector’: pam_radius_auth.c:358: error: storage size of ‘tz’ isn’t known pam_radius_auth.c:363: warning: implicit declaration of function ‘gettimeofday’ This would suggests that sys/time.h is not included. pam_radius_auth.c:358: warning: unused variable ‘tz’ pam_radius_auth.c: In function ‘talk_radius’: pam_radius_auth.c:886: warning: pointer targets in passing argument 6 of ‘recvfrom’ differ in signedness pam_radius_auth.c: In function ‘pam_sm_authenticate’: pam_radius_auth.c:1102: warning: assignment from incompatible pointer type make: *** [pam_radius_auth.o] Error 1 Is there something besides the X Code that I need to have installed? Probably this is more a configuration problem, where MacOS is not BSD or even less GNU. - List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html Have a nice day! Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ users.html Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Maciej Drobniuch - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Strange password when authenticating via pppoe-server.
Hi!
Now I have a new problem.
When auth via radiusclient, everyting works fine:
radtest steve testing localhost 1813 somesecret
Sat Jul 12 12:07:31 2008 : Debug: modsingle[authenticate]: calling pap
(rlm_pap) for request 4
Sat Jul 12 12:07:31 2008 : Debug: rlm_pap: login attempt with password
testing
Sat Jul 12 12:07:31 2008 : Debug: rlm_pap: Using clear text password
testing
Sat Jul 12 12:07:31 2008 : Debug: rlm_pap: User authenticated successfully
Sat Jul 12 12:07:31 2008 : Debug: modsingle[authenticate]: returned from
pap (rlm_pap) for request 4
Sat Jul 12 12:07:31 2008 : Debug: ++[pap] returns ok
Sat Jul 12 12:07:31 2008 : Debug: +- entering group post-auth
Sat Jul 12 12:07:31 2008 : Debug: modsingle[post-auth]: calling exec
(rlm_exec) for request 4
Sat Jul 12 12:07:31 2008 : Debug: modsingle[post-auth]: returned from
exec (rlm_exec) for request 4
Sat Jul 12 12:07:31 2008 : Debug: ++[exec] returns noop
Sending Access-Accept of id 146 to 127.0.0.1 port 32770
Service-Type = Framed-User
Framed-Protocol = PPP
Framed-IP-Address = 172.16.3.33
Framed-IP-Netmask = 255.255.255.0
Framed-Routing = Broadcast-Listen
Framed-Filter-Id = std.ppp
Framed-MTU = 1500
Framed-Compression = Van-Jacobson-TCP-IP
I've also tried to auth using this command(and the login is also
successful):
echo User-Name = steve, CHAP-Password = testing | radclient localhost
auth somesecret
But when i've had tried to login from a client (windows xp) station using
the pppoe-server(on the server) the debug output looks like this:
Force PAP(require-pap) on pppoe-server:
Sat Jul 12 12:11:23 2008 : Debug: auth: type PAP
Sat Jul 12 12:11:23 2008 : Debug: +- entering group PAP
Sat Jul 12 12:11:23 2008 : Debug: modsingle[authenticate]: calling pap
(rlm_pap) for request 7
Sat Jul 12 12:11:23 2008 : Debug: rlm_pap: login attempt with password
ŞĂ23ćtn?? 8šľ1RĄ
Sat Jul 12 12:11:23 2008 : Debug: rlm_pap: Using clear text password
testing
Sat Jul 12 12:11:23 2008 : Debug: rlm_pap: Passwords don't match
Sat Jul 12 12:11:23 2008 : Debug: modsingle[authenticate]: returned from
pap (rlm_pap) for request 7
Sat Jul 12 12:11:23 2008 : Debug: ++[pap] returns reject
Sat Jul 12 12:11:23 2008 : Debug: auth: Failed to validate the user.
Sat Jul 12 12:11:23 2008 : Debug: WARNING: Unprintable characters in the
password. Double-check the shared secret on the server and the NAS!
Sat Jul 12 12:11:23 2008 : Debug: Found Post-Auth-Type Reject
Sat Jul 12 12:11:23 2008 : Debug: +- entering group REJECT
Sat Jul 12 12:11:23 2008 : Debug: modsingle[post-auth]: calling
attr_filter.access_reject (rlm_attr_filter) for request 7
Sat Jul 12 12:11:23 2008 : Debug: expand: %{User-Name} - steve
Sat Jul 12 12:11:23 2008 : Debug: attr_filter: Matched entry DEFAULT at
line 11
Sat Jul 12 12:11:23 2008 : Debug: modsingle[post-auth]: returned from
attr_filter.access_reject (rlm_attr_filter) for request 7
Sat Jul 12 12:11:23 2008 : Debug: ++[attr_filter.access_reject] returns
updated
Force CHAP(require-chap) on PPPoE server:
Sat Jul 12 12:13:04 2008 : Debug: auth: type CHAP
Sat Jul 12 12:13:04 2008 : Debug: +- entering group CHAP
Sat Jul 12 12:13:04 2008 : Debug: modsingle[authenticate]: calling chap
(rlm_chap) for request 0
Sat Jul 12 12:13:04 2008 : Debug: rlm_chap: login attempt by steve with
CHAP password
Sat Jul 12 12:13:04 2008 : Debug: rlm_chap: Using clear text password
testing for user steve authentication.
Sat Jul 12 12:13:04 2008 : Debug: rlm_chap: Password check failed
Sat Jul 12 12:13:04 2008 : Debug: modsingle[authenticate]: returned from
chap (rlm_chap) for request 0
Sat Jul 12 12:13:04 2008 : Debug: ++[chap] returns reject
Sat Jul 12 12:13:04 2008 : Debug: auth: Failed to validate the user.
Sat Jul 12 12:13:04 2008 : Debug: Found Post-Auth-Type Reject
Sat Jul 12 12:13:04 2008 : Debug: +- entering group REJECT
Sat Jul 12 12:13:04 2008 : Debug: modsingle[post-auth]: calling
attr_filter.access_reject (rlm_attr_filter) for request 0
Sat Jul 12 12:13:04 2008 : Debug: expand: %{User-Name} - steve
Sat Jul 12 12:13:04 2008 : Debug: attr_filter: Matched entry DEFAULT at
line 11
Sat Jul 12 12:13:04 2008 : Debug: modsingle[post-auth]: returned from
attr_filter.access_reject (rlm_attr_filter) for request 0
Sat Jul 12 12:13:04 2008 : Debug: ++[attr_filter.access_reject] returns
updated
Sending Access-Reject of id 57 to 127.0.0.1 port 32770
Sat Jul 12 12:13:04 2008 : Debug: Finished request 0.
Sat Jul 12 12:13:04 2008 : Debug: Going to the next request
Sat Jul 12 12:13:04 2008 : Debug: Waking up in 4.9 seconds.
Sat Jul 12 12:13:09 2008 : Debug: Cleaning up request 0 ID 57 with
timestamp +8
Sat Jul 12 12:13:09 2008 : Debug: Ready to process requests.
What's wrong again?
Thanks !
--
Maciej Drobniuch
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Strange password when authenticating via pppoe-server.
Hi!
Now I have a new problem.
When auth via radiusclient, everyting works fine:
radtest steve testing localhost 1813 somesecret
Sat Jul 12 12:07:31 2008 : Debug: modsingle[authenticate]: calling pap
(rlm_pap) for request 4
Sat Jul 12 12:07:31 2008 : Debug: rlm_pap: login attempt with password
testing
Sat Jul 12 12:07:31 2008 : Debug: rlm_pap: Using clear text password
testing
Sat Jul 12 12:07:31 2008 : Debug: rlm_pap: User authenticated successfully
Sat Jul 12 12:07:31 2008 : Debug: modsingle[authenticate]: returned from
pap (rlm_pap) for request 4
Sat Jul 12 12:07:31 2008 : Debug: ++[pap] returns ok
Sat Jul 12 12:07:31 2008 : Debug: +- entering group post-auth
Sat Jul 12 12:07:31 2008 : Debug: modsingle[post-auth]: calling exec
(rlm_exec) for request 4
Sat Jul 12 12:07:31 2008 : Debug: modsingle[post-auth]: returned from
exec (rlm_exec) for request 4
Sat Jul 12 12:07:31 2008 : Debug: ++[exec] returns noop
Sending Access-Accept of id 146 to 127.0.0.1 port 32770
Service-Type = Framed-User
Framed-Protocol = PPP
Framed-IP-Address = 172.16.3.33
Framed-IP-Netmask = 255.255.255.0
Framed-Routing = Broadcast-Listen
Framed-Filter-Id = std.ppp
Framed-MTU = 1500
Framed-Compression = Van-Jacobson-TCP-IP
I've also tried to auth using this command(and the login is also
successful):
echo User-Name = steve, CHAP-Password = testing | radclient localhost
auth somesecret
But when i've had tried to login from a client (windows xp) station using
the pppoe-server(on the server) the debug output looks like this:
Force PAP(require-pap) on pppoe-server:
Sat Jul 12 12:11:23 2008 : Debug: auth: type PAP
Sat Jul 12 12:11:23 2008 : Debug: +- entering group PAP
Sat Jul 12 12:11:23 2008 : Debug: modsingle[authenticate]: calling pap
(rlm_pap) for request 7
Sat Jul 12 12:11:23 2008 : Debug: rlm_pap: login attempt with password
ŞĂ23ćtn?? 8šľ1RĄ
Sat Jul 12 12:11:23 2008 : Debug: rlm_pap: Using clear text password
testing
Sat Jul 12 12:11:23 2008 : Debug: rlm_pap: Passwords don't match
Sat Jul 12 12:11:23 2008 : Debug: modsingle[authenticate]: returned from
pap (rlm_pap) for request 7
Sat Jul 12 12:11:23 2008 : Debug: ++[pap] returns reject
Sat Jul 12 12:11:23 2008 : Debug: auth: Failed to validate the user.
Sat Jul 12 12:11:23 2008 : Debug: WARNING: Unprintable characters in the
password. Double-check the shared secret on the server and the NAS!
Sat Jul 12 12:11:23 2008 : Debug: Found Post-Auth-Type Reject
Sat Jul 12 12:11:23 2008 : Debug: +- entering group REJECT
Sat Jul 12 12:11:23 2008 : Debug: modsingle[post-auth]: calling
attr_filter.access_reject (rlm_attr_filter) for request 7
Sat Jul 12 12:11:23 2008 : Debug: expand: %{User-Name} - steve
Sat Jul 12 12:11:23 2008 : Debug: attr_filter: Matched entry DEFAULT at
line 11
Sat Jul 12 12:11:23 2008 : Debug: modsingle[post-auth]: returned from
attr_filter.access_reject (rlm_attr_filter) for request 7
Sat Jul 12 12:11:23 2008 : Debug: ++[attr_filter.access_reject] returns
updated
Force CHAP(require-chap) on PPPoE server:
Sat Jul 12 12:13:04 2008 : Debug: auth: type CHAP
Sat Jul 12 12:13:04 2008 : Debug: +- entering group CHAP
Sat Jul 12 12:13:04 2008 : Debug: modsingle[authenticate]: calling chap
(rlm_chap) for request 0
Sat Jul 12 12:13:04 2008 : Debug: rlm_chap: login attempt by steve with
CHAP password
Sat Jul 12 12:13:04 2008 : Debug: rlm_chap: Using clear text password
testing for user steve authentication.
Sat Jul 12 12:13:04 2008 : Debug: rlm_chap: Password check failed
Sat Jul 12 12:13:04 2008 : Debug: modsingle[authenticate]: returned from
chap (rlm_chap) for request 0
Sat Jul 12 12:13:04 2008 : Debug: ++[chap] returns reject
Sat Jul 12 12:13:04 2008 : Debug: auth: Failed to validate the user.
Sat Jul 12 12:13:04 2008 : Debug: Found Post-Auth-Type Reject
Sat Jul 12 12:13:04 2008 : Debug: +- entering group REJECT
Sat Jul 12 12:13:04 2008 : Debug: modsingle[post-auth]: calling
attr_filter.access_reject (rlm_attr_filter) for request 0
Sat Jul 12 12:13:04 2008 : Debug: expand: %{User-Name} - steve
Sat Jul 12 12:13:04 2008 : Debug: attr_filter: Matched entry DEFAULT at
line 11
Sat Jul 12 12:13:04 2008 : Debug: modsingle[post-auth]: returned from
attr_filter.access_reject (rlm_attr_filter) for request 0
Sat Jul 12 12:13:04 2008 : Debug: ++[attr_filter.access_reject] returns
updated
Sending Access-Reject of id 57 to 127.0.0.1 port 32770
Sat Jul 12 12:13:04 2008 : Debug: Finished request 0.
Sat Jul 12 12:13:04 2008 : Debug: Going to the next request
Sat Jul 12 12:13:04 2008 : Debug: Waking up in 4.9 seconds.
Sat Jul 12 12:13:09 2008 : Debug: Cleaning up request 0 ID 57 with
timestamp +8
Sat Jul 12 12:13:09 2008 : Debug: Ready to process requests.
What's wrong again?
Thanks !
--
Maciej Drobniuch
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Strange password when authenticating via pppoe-server.
.
Sat Jul 12 15:54:03 2008 : Debug: Going to the next request
Sat Jul 12 15:54:03 2008 : Debug: Waking up in 4.9 seconds.
Sat Jul 12 15:54:08 2008 : Debug: Cleaning up request 0 ID 59 with
timestamp +8
Sat Jul 12 15:54:08 2008 : Debug: Ready to process requests.
On Sat, 12 Jul 2008 12:25:44 +0100, Ivan Kalik [EMAIL PROTECTED] wrote:
Post the whole debug including the request. You have chopped off the
front bit.
Ivan Kalik
Kalik Informatika ISP
Dana 12/7/2008, Maciej Drobniuch [EMAIL PROTECTED] piše:
Hi!
Now I have a new problem.
When auth via radiusclient, everyting works fine:
radtest steve testing localhost 1813 somesecret
Sat Jul 12 12:07:31 2008 : Debug: modsingle[authenticate]: calling pap
(rlm_pap) for request 4
Sat Jul 12 12:07:31 2008 : Debug: rlm_pap: login attempt with password
testing
Sat Jul 12 12:07:31 2008 : Debug: rlm_pap: Using clear text password
testing
Sat Jul 12 12:07:31 2008 : Debug: rlm_pap: User authenticated
successfully
Sat Jul 12 12:07:31 2008 : Debug: modsingle[authenticate]: returned
from
pap (rlm_pap) for request 4
Sat Jul 12 12:07:31 2008 : Debug: ++[pap] returns ok
Sat Jul 12 12:07:31 2008 : Debug: +- entering group post-auth
Sat Jul 12 12:07:31 2008 : Debug: modsingle[post-auth]: calling exec
(rlm_exec) for request 4
Sat Jul 12 12:07:31 2008 : Debug: modsingle[post-auth]: returned from
exec (rlm_exec) for request 4
Sat Jul 12 12:07:31 2008 : Debug: ++[exec] returns noop
Sending Access-Accept of id 146 to 127.0.0.1 port 32770
Service-Type = Framed-User
Framed-Protocol = PPP
Framed-IP-Address = 172.16.3.33
Framed-IP-Netmask = 255.255.255.0
Framed-Routing = Broadcast-Listen
Framed-Filter-Id = std.ppp
Framed-MTU = 1500
Framed-Compression = Van-Jacobson-TCP-IP
I've also tried to auth using this command(and the login is also
successful):
echo User-Name = steve, CHAP-Password = testing | radclient localhost
auth somesecret
But when i've had tried to login from a client (windows xp) station using
the pppoe-server(on the server) the debug output looks like this:
Force PAP(require-pap) on pppoe-server:
Sat Jul 12 12:11:23 2008 : Debug: auth: type PAP
Sat Jul 12 12:11:23 2008 : Debug: +- entering group PAP
Sat Jul 12 12:11:23 2008 : Debug: modsingle[authenticate]: calling pap
(rlm_pap) for request 7
Sat Jul 12 12:11:23 2008 : Debug: rlm_pap: login attempt with password
Ĺ#65533;Ä#65533;23Ä#65533;tn?? 8ĹĄÄž1RÄ#65533;
Sat Jul 12 12:11:23 2008 : Debug: rlm_pap: Using clear text password
testing
Sat Jul 12 12:11:23 2008 : Debug: rlm_pap: Passwords don't match
Sat Jul 12 12:11:23 2008 : Debug: modsingle[authenticate]: returned
from
pap (rlm_pap) for request 7
Sat Jul 12 12:11:23 2008 : Debug: ++[pap] returns reject
Sat Jul 12 12:11:23 2008 : Debug: auth: Failed to validate the user.
Sat Jul 12 12:11:23 2008 : Debug: WARNING: Unprintable characters in
the
password. Double-check the shared secret on the server and the NAS!
Sat Jul 12 12:11:23 2008 : Debug: Found Post-Auth-Type Reject
Sat Jul 12 12:11:23 2008 : Debug: +- entering group REJECT
Sat Jul 12 12:11:23 2008 : Debug: modsingle[post-auth]: calling
attr_filter.access_reject (rlm_attr_filter) for request 7
Sat Jul 12 12:11:23 2008 : Debug: expand: %{User-Name} - steve
Sat Jul 12 12:11:23 2008 : Debug: attr_filter: Matched entry DEFAULT at
line 11
Sat Jul 12 12:11:23 2008 : Debug: modsingle[post-auth]: returned from
attr_filter.access_reject (rlm_attr_filter) for request 7
Sat Jul 12 12:11:23 2008 : Debug: ++[attr_filter.access_reject] returns
updated
Force CHAP(require-chap) on PPPoE server:
Sat Jul 12 12:13:04 2008 : Debug: auth: type CHAP
Sat Jul 12 12:13:04 2008 : Debug: +- entering group CHAP
Sat Jul 12 12:13:04 2008 : Debug: modsingle[authenticate]: calling chap
(rlm_chap) for request 0
Sat Jul 12 12:13:04 2008 : Debug: rlm_chap: login attempt by steve
with
CHAP password
Sat Jul 12 12:13:04 2008 : Debug: rlm_chap: Using clear text password
testing for user steve authentication.
Sat Jul 12 12:13:04 2008 : Debug: rlm_chap: Password check failed
Sat Jul 12 12:13:04 2008 : Debug: modsingle[authenticate]: returned
from
chap (rlm_chap) for request 0
Sat Jul 12 12:13:04 2008 : Debug: ++[chap] returns reject
Sat Jul 12 12:13:04 2008 : Debug: auth: Failed to validate the user.
Sat Jul 12 12:13:04 2008 : Debug: Found Post-Auth-Type Reject
Sat Jul 12 12:13:04 2008 : Debug: +- entering group REJECT
Sat Jul 12 12:13:04 2008 : Debug: modsingle[post-auth]: calling
attr_filter.access_reject (rlm_attr_filter) for request 0
Sat Jul 12 12:13:04 2008 : Debug: expand: %{User-Name} - steve
Sat Jul 12 12:13:04 2008 : Debug: attr_filter: Matched entry DEFAULT at
line 11
Sat Jul 12 12:13:04 2008 : Debug: modsingle[post-auth]: returned from
attr_filter.access_reject (rlm_attr_filter) for request 0
Sat Jul 12 12:13:04 2008 : Debug: ++[attr_filter.access_reject] returns
updated
Sending Access-Reject of id 57 to 127.0.0.1
Re: Strange password when authenticating via pppoe-server.
Now it work's fine!
The password in the radiusclient was misspelled.
SORRY for trouble ;)
On Sat, 12 Jul 2008 12:25:44 +0100, Ivan Kalik [EMAIL PROTECTED] wrote:
Post the whole debug including the request. You have chopped off the
front bit.
Ivan Kalik
Kalik Informatika ISP
Dana 12/7/2008, Maciej Drobniuch [EMAIL PROTECTED] piše:
Hi!
Now I have a new problem.
When auth via radiusclient, everyting works fine:
radtest steve testing localhost 1813 somesecret
Sat Jul 12 12:07:31 2008 : Debug: modsingle[authenticate]: calling pap
(rlm_pap) for request 4
Sat Jul 12 12:07:31 2008 : Debug: rlm_pap: login attempt with password
testing
Sat Jul 12 12:07:31 2008 : Debug: rlm_pap: Using clear text password
testing
Sat Jul 12 12:07:31 2008 : Debug: rlm_pap: User authenticated
successfully
Sat Jul 12 12:07:31 2008 : Debug: modsingle[authenticate]: returned
from
pap (rlm_pap) for request 4
Sat Jul 12 12:07:31 2008 : Debug: ++[pap] returns ok
Sat Jul 12 12:07:31 2008 : Debug: +- entering group post-auth
Sat Jul 12 12:07:31 2008 : Debug: modsingle[post-auth]: calling exec
(rlm_exec) for request 4
Sat Jul 12 12:07:31 2008 : Debug: modsingle[post-auth]: returned from
exec (rlm_exec) for request 4
Sat Jul 12 12:07:31 2008 : Debug: ++[exec] returns noop
Sending Access-Accept of id 146 to 127.0.0.1 port 32770
Service-Type = Framed-User
Framed-Protocol = PPP
Framed-IP-Address = 172.16.3.33
Framed-IP-Netmask = 255.255.255.0
Framed-Routing = Broadcast-Listen
Framed-Filter-Id = std.ppp
Framed-MTU = 1500
Framed-Compression = Van-Jacobson-TCP-IP
I've also tried to auth using this command(and the login is also
successful):
echo User-Name = steve, CHAP-Password = testing | radclient localhost
auth somesecret
But when i've had tried to login from a client (windows xp) station using
the pppoe-server(on the server) the debug output looks like this:
Force PAP(require-pap) on pppoe-server:
Sat Jul 12 12:11:23 2008 : Debug: auth: type PAP
Sat Jul 12 12:11:23 2008 : Debug: +- entering group PAP
Sat Jul 12 12:11:23 2008 : Debug: modsingle[authenticate]: calling pap
(rlm_pap) for request 7
Sat Jul 12 12:11:23 2008 : Debug: rlm_pap: login attempt with password
Ĺ#65533;Ä#65533;23Ä#65533;tn?? 8ĹĄÄž1RÄ#65533;
Sat Jul 12 12:11:23 2008 : Debug: rlm_pap: Using clear text password
testing
Sat Jul 12 12:11:23 2008 : Debug: rlm_pap: Passwords don't match
Sat Jul 12 12:11:23 2008 : Debug: modsingle[authenticate]: returned
from
pap (rlm_pap) for request 7
Sat Jul 12 12:11:23 2008 : Debug: ++[pap] returns reject
Sat Jul 12 12:11:23 2008 : Debug: auth: Failed to validate the user.
Sat Jul 12 12:11:23 2008 : Debug: WARNING: Unprintable characters in
the
password. Double-check the shared secret on the server and the NAS!
Sat Jul 12 12:11:23 2008 : Debug: Found Post-Auth-Type Reject
Sat Jul 12 12:11:23 2008 : Debug: +- entering group REJECT
Sat Jul 12 12:11:23 2008 : Debug: modsingle[post-auth]: calling
attr_filter.access_reject (rlm_attr_filter) for request 7
Sat Jul 12 12:11:23 2008 : Debug: expand: %{User-Name} - steve
Sat Jul 12 12:11:23 2008 : Debug: attr_filter: Matched entry DEFAULT at
line 11
Sat Jul 12 12:11:23 2008 : Debug: modsingle[post-auth]: returned from
attr_filter.access_reject (rlm_attr_filter) for request 7
Sat Jul 12 12:11:23 2008 : Debug: ++[attr_filter.access_reject] returns
updated
Force CHAP(require-chap) on PPPoE server:
Sat Jul 12 12:13:04 2008 : Debug: auth: type CHAP
Sat Jul 12 12:13:04 2008 : Debug: +- entering group CHAP
Sat Jul 12 12:13:04 2008 : Debug: modsingle[authenticate]: calling chap
(rlm_chap) for request 0
Sat Jul 12 12:13:04 2008 : Debug: rlm_chap: login attempt by steve
with
CHAP password
Sat Jul 12 12:13:04 2008 : Debug: rlm_chap: Using clear text password
testing for user steve authentication.
Sat Jul 12 12:13:04 2008 : Debug: rlm_chap: Password check failed
Sat Jul 12 12:13:04 2008 : Debug: modsingle[authenticate]: returned
from
chap (rlm_chap) for request 0
Sat Jul 12 12:13:04 2008 : Debug: ++[chap] returns reject
Sat Jul 12 12:13:04 2008 : Debug: auth: Failed to validate the user.
Sat Jul 12 12:13:04 2008 : Debug: Found Post-Auth-Type Reject
Sat Jul 12 12:13:04 2008 : Debug: +- entering group REJECT
Sat Jul 12 12:13:04 2008 : Debug: modsingle[post-auth]: calling
attr_filter.access_reject (rlm_attr_filter) for request 0
Sat Jul 12 12:13:04 2008 : Debug: expand: %{User-Name} - steve
Sat Jul 12 12:13:04 2008 : Debug: attr_filter: Matched entry DEFAULT at
line 11
Sat Jul 12 12:13:04 2008 : Debug: modsingle[post-auth]: returned from
attr_filter.access_reject (rlm_attr_filter) for request 0
Sat Jul 12 12:13:04 2008 : Debug: ++[attr_filter.access_reject] returns
updated
Sending Access-Reject of id 57 to 127.0.0.1 port 32770
Sat Jul 12 12:13:04 2008 : Debug: Finished request 0.
Sat Jul 12 12:13:04 2008 : Debug: Going to the next request
Sat Jul 12 12:13:04 2008 : Debug: Waking up
rlm_pap: WARNING! No known good password found for the user.
Hi!
radtest fred somepass localhost 1813 somesecret
Sending Access-Request of id 102 to 127.0.0.1 port 1812
User-Name = fred
User-Password = somepass
NAS-IP-Address = 127.0.0.1
NAS-Port = 1813
rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=102,
length=20
rad_verify: Received Access-Reject packet from client 127.0.0.1 port 1812
with invalid signature (err=2)! (Shared secret is incorrect.)
radiusd -X
rad_recv: Access-Request packet from host 127.0.0.1 port 32770, id=102,
length=56
User-Name = fred
User-Password = h\347`\005\270\202\336\336i~e\031\r\021[
NAS-IP-Address = 127.0.0.1
NAS-Port = 1813
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = fred, looking up realm NULL
rlm_realm: No such realm NULL
++[suffix] returns noop
rlm_eap: No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: WARNING! No known good password found for the user.
Authentication may fail because of this.
++[pap] returns noop
auth: No authenticate method (Auth-Type) configuration found for the
request: Rejecting the user
auth: Failed to validate the user.
WARNING: Unprintable characters in the password.Double-check the
shared secret on the server and the NAS!
Found Post-Auth-Type Reject
+- entering group REJECT
expand: %{User-Name} - fred
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Sending Access-Reject of id 102 to 127.0.0.1 port 32770
Finished request 2.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 2 ID 102 with timestamp +151
Ready to process requests.
cat client.conf
client 127.0.0.1 {
secret = somesecret
shortname = localhost
nastype = other
}
cat users
fred Cleartext-Password ==somepass
Service-Type = Framed-User,
Framed-Protocol = PPP
wilma Auth-Type := CHAP, User-password ==somepass
Service-Type = Framed-User,
Framed-Protocol = PPP
barney Auth-Type := MS-CHAP, User-Password == somepass
Service-Type = Framed-User,
Framed-Protocol = PPP
What's wrong with this line User-Password =
h\347`\005\270\202\336\336i~e\031\r\021[ ???
Thanks for the support!
--
Maciej Drobniuch
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_pap: WARNING! No known good passwor d found for the user.
Hi!
I've deleted the old /sbin /bin /raddb dirs and then i've executed make
install in the freerad 2.0.5 dir...
So what is the fastest and the cleanest way to remove the old version?
Usually I use packages but I've had problems running radiusd when
installing from them...
Thanks and sorry for my lame eng.
On Fri, 11 Jul 2008 19:30:26 +0100, Ivan Kalik [EMAIL PROTECTED] wrote:
You probably have two instances of the server installed. These files
don't belong to the server that is running.
Ivan Kalik
Kalik Informatika ISP
Dana 11/7/2008, Maciej Drobniuch [EMAIL PROTECTED] piše:
Hi!
radtest fred somepass localhost 1813 somesecret
Sending Access-Request of id 102 to 127.0.0.1 port 1812
User-Name = fred
User-Password = somepass
NAS-IP-Address = 127.0.0.1
NAS-Port = 1813
rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=102,
length=20
rad_verify: Received Access-Reject packet from client 127.0.0.1 port 1812
with invalid signature (err=2)! (Shared secret is incorrect.)
radiusd -X
rad_recv: Access-Request packet from host 127.0.0.1 port 32770, id=102,
length=56
User-Name = fred
User-Password = h\347`\005\270\202\336\336i~e\031\r\021[
NAS-IP-Address = 127.0.0.1
NAS-Port = 1813
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = fred, looking up realm NULL
rlm_realm: No such realm NULL
++[suffix] returns noop
rlm_eap: No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: WARNING! No known good password found for the user.
Authentication may fail because of this.
++[pap] returns noop
auth: No authenticate method (Auth-Type) configuration found for the
request: Rejecting the user
auth: Failed to validate the user.
WARNING: Unprintable characters in the password.Double-check
the
shared secret on the server and the NAS!
Found Post-Auth-Type Reject
+- entering group REJECT
expand: %{User-Name} - fred
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Sending Access-Reject of id 102 to 127.0.0.1 port 32770
Finished request 2.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 2 ID 102 with timestamp +151
Ready to process requests.
cat client.conf
client 127.0.0.1 {
secret = somesecret
shortname = localhost
nastype = other
}
cat users
fred Cleartext-Password ==somepass
Service-Type = Framed-User,
Framed-Protocol = PPP
wilma Auth-Type := CHAP, User-password ==somepass
Service-Type = Framed-User,
Framed-Protocol = PPP
barney Auth-Type := MS-CHAP, User-Password == somepass
Service-Type = Framed-User,
Framed-Protocol = PPP
What's wrong with this line User-Password =
h\347`\005\270\202\336\336i~e\031\r\021[ ???
Thanks for the support!
--
Maciej Drobniuch
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
--
Maciej Drobniuch
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_pap: WARNING! No known good passwor d found for the user.
I've cleaned the mess up like you've said, but i've got new errors for you
which are not familiar to me ;)
Fri Jul 11 21:17:56 2008 : Debug: auth: No authenticate method (Auth-Type)
configuration found for the request: Rejecting the user
Fri Jul 11 21:17:56 2008 : Debug: auth: Failed to validate the user.
Am I using an old definition of Auth-Type in my users file?
Or what ?
fred Auth-Type := Local, Cleartext-Password ==somepass
Service-Type = Framed-User,
Framed-Protocol = PPP
With what should i replace the Auth-Type variable or variable name?
Thanks for your tips!
On Fri, 11 Jul 2008 19:30:26 +0100, Ivan Kalik [EMAIL PROTECTED] wrote:
You probably have two instances of the server installed. These files
don't belong to the server that is running.
Ivan Kalik
Kalik Informatika ISP
Dana 11/7/2008, Maciej Drobniuch [EMAIL PROTECTED] piše:
Hi!
radtest fred somepass localhost 1813 somesecret
Sending Access-Request of id 102 to 127.0.0.1 port 1812
User-Name = fred
User-Password = somepass
NAS-IP-Address = 127.0.0.1
NAS-Port = 1813
rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=102,
length=20
rad_verify: Received Access-Reject packet from client 127.0.0.1 port 1812
with invalid signature (err=2)! (Shared secret is incorrect.)
radiusd -X
rad_recv: Access-Request packet from host 127.0.0.1 port 32770, id=102,
length=56
User-Name = fred
User-Password = h\347`\005\270\202\336\336i~e\031\r\021[
NAS-IP-Address = 127.0.0.1
NAS-Port = 1813
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = fred, looking up realm NULL
rlm_realm: No such realm NULL
++[suffix] returns noop
rlm_eap: No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: WARNING! No known good password found for the user.
Authentication may fail because of this.
++[pap] returns noop
auth: No authenticate method (Auth-Type) configuration found for the
request: Rejecting the user
auth: Failed to validate the user.
WARNING: Unprintable characters in the password.Double-check
the
shared secret on the server and the NAS!
Found Post-Auth-Type Reject
+- entering group REJECT
expand: %{User-Name} - fred
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Sending Access-Reject of id 102 to 127.0.0.1 port 32770
Finished request 2.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 2 ID 102 with timestamp +151
Ready to process requests.
cat client.conf
client 127.0.0.1 {
secret = somesecret
shortname = localhost
nastype = other
}
cat users
fred Cleartext-Password ==somepass
Service-Type = Framed-User,
Framed-Protocol = PPP
wilma Auth-Type := CHAP, User-password ==somepass
Service-Type = Framed-User,
Framed-Protocol = PPP
barney Auth-Type := MS-CHAP, User-Password == somepass
Service-Type = Framed-User,
Framed-Protocol = PPP
What's wrong with this line User-Password =
h\347`\005\270\202\336\336i~e\031\r\021[ ???
Thanks for the support!
--
Maciej Drobniuch
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
--
Maciej Drobniuch
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_pap: WARNING! No known good passwor d found for the user.
-07-11 at 21:21 +0200, Maciej Drobniuch wrote:
I've cleaned the mess up like you've said, but i've got new errors for
you
which are not familiar to me ;)
Fri Jul 11 21:17:56 2008 : Debug: auth: No authenticate method
(Auth-Type)
configuration found for the request: Rejecting the user
Fri Jul 11 21:17:56 2008 : Debug: auth: Failed to validate the user.
Am I using an old definition of Auth-Type in my users file?
Or what ?
fred Auth-Type := Local, Cleartext-Password ==somepass
Service-Type = Framed-User,
Framed-Protocol = PPP
With what should i replace the Auth-Type variable or variable name?
Thanks for your tips!
On Fri, 11 Jul 2008 19:30:26 +0100, Ivan Kalik [EMAIL PROTECTED] wrote:
You probably have two instances of the server installed. These files
don't belong to the server that is running.
Ivan Kalik
Kalik Informatika ISP
Dana 11/7/2008, Maciej Drobniuch [EMAIL PROTECTED] piše:
Hi!
radtest fred somepass localhost 1813 somesecret
Sending Access-Request of id 102 to 127.0.0.1 port 1812
User-Name = fred
User-Password = somepass
NAS-IP-Address = 127.0.0.1
NAS-Port = 1813
rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=102,
length=20
rad_verify: Received Access-Reject packet from client 127.0.0.1 port
1812
with invalid signature (err=2)! (Shared secret is incorrect.)
radiusd -X
rad_recv: Access-Request packet from host 127.0.0.1 port 32770,
id=102,
length=56
User-Name = fred
User-Password = h\347`\005\270\202\336\336i~e\031\r\021[
NAS-IP-Address = 127.0.0.1
NAS-Port = 1813
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = fred, looking up realm NULL
rlm_realm: No such realm NULL
++[suffix] returns noop
rlm_eap: No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: WARNING! No known good password found for the user.
Authentication may fail because of this.
++[pap] returns noop
auth: No authenticate method (Auth-Type) configuration found for the
request: Rejecting the user
auth: Failed to validate the user.
WARNING: Unprintable characters in the password.Double-check
the
shared secret on the server and the NAS!
Found Post-Auth-Type Reject
+- entering group REJECT
expand: %{User-Name} - fred
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Sending Access-Reject of id 102 to 127.0.0.1 port 32770
Finished request 2.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 2 ID 102 with timestamp +151
Ready to process requests.
cat client.conf
client 127.0.0.1 {
secret = somesecret
shortname = localhost
nastype = other
}
cat users
fred Cleartext-Password ==somepass
Service-Type = Framed-User,
Framed-Protocol = PPP
wilma Auth-Type := CHAP, User-password ==somepass
Service-Type = Framed-User,
Framed-Protocol = PPP
barney Auth-Type := MS-CHAP, User-Password == somepass
Service-Type = Framed-User,
Framed-Protocol = PPP
What's wrong with this line User-Password =
h\347`\005\270\202\336\336i~e\031\r\021[ ???
Thanks for the support!
--
Maciej Drobniuch
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
--
Maciej Drobniuch
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
CHAP-Password does NOT match local User-Password
Hi everyone !
I'm a newbie in freeradius.
I've tryied several freeradius versions, but i get always the same error:
auth: user supplied CHAP-Password does NOT match local User-Password
Currently i'm using freeradius 1.0.5 and i want to bind it with the
pppoe-server(accounts are mysql based).
This is the ppp auth part of the radiusd -X:
Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1:32772, id=50, length=90
Service-Type = Framed-User
Framed-Protocol = PPP
User-Name = qweqwe
CHAP-Password = 0x1a490e809284566aa959336e511314fe82
Calling-Station-Id = 00:04:61:5C:14:11
NAS-IP-Address = 127.0.0.1
NAS-Port = 0
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module preprocess returns ok for request 0
radius_xlat:
'/usr/local/var/log/radius/radacct/127.0.0.1/auth-detail-20080705'
rlm_detail:
/usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /usr/local/var/log/radius/radacct/127.0.0.1/auth-detail-20080705
modcall[authorize]: module auth_log returns ok for request 0
radius_xlat: ':'
rlm_attr_rewrite: No match found for attribute User-Name with value
'qweqwe'
modcall[authorize]: module dwukropki returns ok for request 0
rlm_chap: Setting 'Auth-Type := CHAP'
modcall[authorize]: module chap returns ok for request 0
modcall[authorize]: module mschap returns noop for request 0
rlm_realm: No '@' in User-Name = qweqwe, looking up realm NULL
rlm_realm: No such realm NULL
modcall[authorize]: module suffix returns noop for request 0
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module eap returns noop for request 0
radius_xlat: 'qweqwe'
rlm_sql (sql): sql_set_user escaped user -- 'qweqwe'
radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM
radcheck WHERE Username = 'qweqwe' ORDER BY id'
rlm_sql (sql): Reserving sql socket id: 4
rlm_sql_mysql: query: SELECT id, UserName, Attribute, Value, op
FROM radcheck WHERE Username = 'qweqwe' ORDER BY id
radius_xlat: 'SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op
FROM radgroupcheck,usergroup WHERE usergroup.Username = 'qweqwe' AND
usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id'
rlm_sql_mysql: query: SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op
FROM radgroupcheck,usergroup WHERE usergroup.Username = 'qweqwe' AND
usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id
radius_xlat: 'SELECT r.id,r.UserName,r.Attribute,inet_ntoa(n.ipaddr) as
value,r.op ??FROM radreply as r, nodes as n WHERE r.Username = 'qweqwe'
AND n.name=r.UserName ORDER BY r.id'
rlm_sql_mysql: query: SELECT
r.id,r.UserName,r.Attribute,inet_ntoa(n.ipaddr) as value,r.op ??FROM
radreply as r, nodes as n WHERE r.Username = 'qweqwe' AND n.name=r.UserName
ORDER BY r.id
radius_xlat: 'SELECT
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op
FROM radgroupreply,usergroup WHERE usergroup.Username = 'qweqwe' AND
usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id'
rlm_sql_mysql: query: SELECT
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op
FROM radgroupreply,usergroup WHERE usergroup.Username = 'qweqwe' AND
usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id
rlm_sql (sql): Released sql socket id: 4
modcall[authorize]: module sql returns ok for request 0
modcall: group authorize returns ok for request 0
rad_check_password: Found Auth-Type Local
auth: type Local
auth: user supplied CHAP-Password does NOT match local User-Password
auth: Failed to validate the user.
Login incorrect: [qweqwe] (from client localhost port 0 cli
00:04:61:5C:14:11)
Delaying request 0 for 1 seconds
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Sending Access-Reject of id 50 to 127.0.0.1:32772
Waking up in 4 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 50 with timestamp 486f753f
Nothing to do. Sleeping until we see a request.
Thanks for the support and sorry for my lame eng.
--
Maciej Drobniuch
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: CHAP-Password does NOT match local User-Password
On Tue, 08 Jul 2008 18:49:48 +0200, Alan DeKok [EMAIL PROTECTED] wrote: Upgrade to 2.0.5. I had tht version and the same error appeared You are forcing Auth-Type. Don't do that. So, what I must force to don't mess up things? And the passwords don't match. The passwords match. Do they have to be in plaint text (in db) or some kind of a hash ? How can I see what password (in plain, when auth in pap) comes in to freeradius from pppd. THANKS FOR YOUR SUPPORT! sorry for my lame eng. -- Maciej Drobniuch - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
