Re: Auth-Type := Accept - CHAP problems
Hi Alan and Ivan, Alan DeKok wrote: >> Config looks like this: >> >> DEFAULTAuth-Type := Accept >> > This completely bypasses any password checks. > >> ERX-Virtual-Router-Name = "vpn:XXX", >> ERX-Egress-Policy-Name = "XXX", >> ERX-Local-Loopback-Interface = "loopback 255", >> Service-Type = Framed-User, >> Framed-Protocol = PPP, >> Fall-Through = Yes >> >> Test100 Password = "Test100" >> > Use: > > Test100 Cleartext-Password := "Test100" > OK - now I understand... with Cleartext-Password PAP and CHAP behave the same way... For us the wrong way :-) Is there a possibility so solve it with freeradius? We want to Accept all Users but give "authenticated" (correct username and password) users individual attributes and "non authenticated" users (wrong username and / or password) different attributes but no "Login incorrect". -- Greetings Thomas Buchberger - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Auth-Type := Accept - CHAP problems
Ivan Kalik wrote: > Add Fall-Through = Yes to the DEFAULT entry if you want to check entries > that come later in users file. Fall-Through is active. With PAP it works - but not with CHAP. That's the problem ... I think the CHAP module handles wrong passwords and auth-type different than the rlm_pap module. Config looks like this: DEFAULTAuth-Type := Accept ERX-Virtual-Router-Name = "vpn:XXX", ERX-Egress-Policy-Name = "XXX", ERX-Local-Loopback-Interface = "loopback 255", Service-Type = Framed-User, Framed-Protocol = PPP, Fall-Through = Yes Test100 Password = "Test100" ERX-Virtual-Router-Name := YYY, ERX-Egress-Policy-Name := "YYY" We're using Version 1.1.6 and give 2.0.5 a try... -- Thomas Buchberger - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Auth-Type := Accept - CHAP problems
Hi Alan, Alan DeKok wrote: > :) It's simple... just read 1000's of lines of debugging output, and > hordes of miscellaneous unrelated unorganized documentation files. > :-P >> We have several different Users in user-files which works fine. >> Now we want that the radius always answers with OK and no more "Login >> incorrect" - but with other Options than a correct user. >> >> We appended in the config: >> DEFAULTAuth-Type := Accept >> > ... > >> users: Matched entry DEFAULT at line 2 >> > > Is that entry at line 2 of the "users" file? If not, the server is > matching an earlier entry, and not the one with Accept. > That's another DEFAULT entry to select between machines. The Accept is at the end after all users. Now we've put the Accept before the users and - Same Problem! Different effect... With PAP everything works - but with CHAP: CHAP Passwords don't get checked and if the username is correct the user gets the wrong Options. Not really better... Why does it work with PAP but not with CHAP? Maybe that's a bug? Greetings Thomas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Auth-Type := Accept - CHAP problems
Hi @ll, we're playing with the freeradius features and are getting confused in the way it behaves: We have several different Users in user-files which works fine. Now we want that the radius always answers with OK and no more "Login incorrect" - but with other Options than a correct user. We appended in the config: DEFAULTAuth-Type := Accept ... various Options ... This works with PAP/CHAP, when the user is not listed in a users file. It also works with PAP when the user is in a list, but not with CHAP! Is there a way to realize this? Debug says: rad_recv: Access-Request packet from host XXX:XX, id=114, length=263 User-Name = "XXX" Acct-Session-Id = "XXX" CHAP-Password = XXX CHAP-Challenge = XXX Service-Type = Framed-User Framed-Protocol = PPP ERX-Pppoe-Description = "XXX" Calling-Station-Id = "XXX" NAS-Port-Type = Ethernet NAS-Port = XXX NAS-Port-Id = "XXX" NAS-IP-Address = XXX NAS-Identifier = "XXX" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 10 modcall[authorize]: module "preprocess" returns ok for request 10 rlm_chap: Setting 'Auth-Type := CHAP' modcall[authorize]: module "chap" returns ok for request 10 rlm_realm: No '@' in User-Name = "XXX", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 10 users: Matched entry DEFAULT at line 2 modcall[authorize]: module "files" returns ok for request 10 rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. modcall[authorize]: module "pap" returns noop for request 10 modcall: leaving group authorize (returns ok) for request 10 Found Autz-Type autz_DSL_B Processing the authorize section of radiusd.conf modcall: entering group autz_DSL_B for request 10 users: Matched entry XXX at line 335992 modcall[authorize]: module "autzfile_DSL_B" returns ok for request 10 modcall: leaving group autz_DSL_B (returns ok) for request 10 rad_check_password: Found Auth-Type CHAP auth: type "CHAP" Processing the authenticate section of radiusd.conf modcall: entering group CHAP for request 10 rlm_chap: login attempt by "XXX" with CHAP password rlm_chap: Using clear text password "XXX" for user XXX authentication. rlm_chap: Password check failed modcall[authenticate]: module "chap" returns reject for request 10 modcall: leaving group CHAP (returns reject) for request 10 auth: Failed to validate the user. -- Thomas Buchberger - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html