RE: [rad] RE: Free Radius users record samples for SmartEdgerouter subcriberauthentication.
Hi Ivan, I used the following user record: a...@radius User-Password == "test" Service-Type = Framed-User, Framed-Protocol = PPP And I sent a CHAP request, authentication still work. rad_recv: Access-Request packet from host 10.205.1.1:1812, id=212, length=188 User-Name = "a...@radius" CHAP-Password = 0x01fb483b2d567fd0e128500a3ce0980d0b Service-Type = Framed-User Framed-Protocol = PPP NAS-Identifier = "Quiet" NAS-Port = 167903232 NAS-Real-Port = 2717909092 NAS-Port-Type = Virtual NAS-Port-Id = "10/2 vlan-id 100 pppoe 372" Medium-Type = DSL Mac-Addr = "00-0c-29-10-12-c3" Platform-Type = SmartEdge-800 OS-Version = "6.1.2.6p9" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 radius_xlat: '/usr/local/var/log/radius/radacct/10.205.1.1/auth-detail-20090617' rlm_detail: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m% d expands to /usr/local/var/log/radius/radacct/10.205.1.1/auth-detail-20090617 modcall[authorize]: module "auth_log" returns ok for request 0 rlm_chap: Setting 'Auth-Type := CHAP' modcall[authorize]: module "chap" returns ok for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: Looking up realm "RADIUS" for User-Name = "a...@radius" rlm_realm: No such realm "RADIUS" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 0 users: Matched entry a...@radius at line 148 modcall[authorize]: module "files" returns ok for request 0 modcall: leaving group authorize (returns ok) for request 0 rad_check_password: Found Auth-Type CHAP auth: type "CHAP" Processing the authenticate section of radiusd.conf modcall: entering group CHAP for request 0 rlm_chap: login attempt by "a...@radius" with CHAP password rlm_chap: Using clear text password "test" for user a...@radius authentication. rlm_chap: chap user a...@radius authenticated succesfully modcall[authenticate]: module "chap" returns ok for request 0 modcall: leaving group CHAP (returns ok) for request 0 Login OK: [...@radius/] (from client SE-Quiet port 167903232) Processing the post-auth section of radiusd.conf modcall: entering group post-auth for request 0 rlm_ippool: Could not find Pool-Name attribute. modcall[post-auth]: module "main_pool" returns noop for request 0 radius_xlat: '/usr/local/var/log/radius/radacct/10.205.1.1/reply-detail-20090617' rlm_detail: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m %d expands to /usr/local/var/log/radius/radacct/10.205.1.1/reply-detail-20090617 modcall[post-auth]: module "reply_log" returns ok for request 0 modcall: leaving group post-auth (returns ok) for request 0 Sending Access-Accept of id 212 to 10.205.1.1 port 1812 Service-Type = Framed-User Framed-Protocol = PPP Finished request 0 -Original Message- From: freeradius-users-bounces+elias.abou.zeid=ericsson....@lists.freeradius.o rg [mailto:freeradius-users-bounces+elias.abou.zeid=ericsson@lists.free radius.org] On Behalf Of Ivan Kalik Sent: June-17-09 11:02 AM To: FreeRadius users mailing list Subject: RE: [rad] RE: Free Radius users record samples for SmartEdgerouter subcriberauthentication. > Just out for sake of completeness. On FreeRADIUS Version 1.1.7 > > I tried both User-Password == "test" and Cleartext-Password := "test". > > They both work fine when the user entry is before default setting in > users file. For a pap request. Try sending chap or mschap request and see what happens. Cleartext-Password will work with all cases, User-Password won't. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [rad] RE: Free Radius users record samples for SmartEdgerouter subcriberauthentication.
On Wed, 17 Jun 2009, Elias Abou Zeid wrote: Just out for sake of completeness. On FreeRADIUS Version 1.1.7 I tried both User-Password == "test" and Cleartext-Password := "test". They both work fine when the user entry is before default setting in users file. Just to let you know. Elias Thank you, Elias. - Charles - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: [rad] RE: Free Radius users record samples for SmartEdgerouter subcriberauthentication.
> Just out for sake of completeness. On FreeRADIUS Version 1.1.7 > > I tried both User-Password == "test" and Cleartext-Password := "test". > > They both work fine when the user entry is before default setting in > users file. For a pap request. Try sending chap or mschap request and see what happens. Cleartext-Password will work with all cases, User-Password won't. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [rad] RE: Free Radius users record samples for SmartEdgerouter subcriberauthentication.
Elias Abou Zeid wrote: > Just out for sake of completeness. On FreeRADIUS Version 1.1.7 > > I tried both User-Password == "test" and Cleartext-Password := "test". > > They both work fine when the user entry is before default setting in > users file. Yes. Because *old* versions of the server accepted 'User-Password ==', and not 'Cleartext-Password :='. We try to keep compatibility between versions of the server. Even with that, 'User-Password ==' is wrong. It's been wrong for nearly three years now. Any blog, web page, "howto", etc. that suggests it is wrong, and is out of date. At some point, that backwards compatibility will be removed. Any systems still using "User-Password ==" will then *break*. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: [rad] RE: Free Radius users record samples for SmartEdgerouter subcriberauthentication.
Hi, Just out for sake of completeness. On FreeRADIUS Version 1.1.7 I tried both User-Password == "test" and Cleartext-Password := "test". They both work fine when the user entry is before default setting in users file. Just to let you know. Elias -Original Message- From: freeradius-users-bounces+elias.abou.zeid=ericsson@lists.freeradius.o rg [mailto:freeradius-users-bounces+elias.abou.zeid=ericsson@lists.free radius.org] On Behalf Of a.l.m.bu...@lboro.ac.uk Sent: June-17-09 4:09 AM To: FreeRadius users mailing list Subject: Re: [rad] RE: Free Radius users record samples for SmartEdgerouter subcriberauthentication. Hi, > I still suggest: > >> abcUser-Password == "test" that is wrong. wrong and wrong Elias, please put your entry at the top of the users file - or remove the DEFAULT Auth-Type == System from your config (this forces the server to always use 'system' auth - which you really dont want) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: [rad] RE: Free Radius users record samples for SmartEdgerouter subcriberauthentication.
Alan, It worked after I put my user entry before DEFAULT Auth-Type == System. Thanks for your help, Elias -Original Message- From: freeradius-users-bounces+elias.abou.zeid=ericsson@lists.freeradius.o rg [mailto:freeradius-users-bounces+elias.abou.zeid=ericsson@lists.free radius.org] On Behalf Of a.l.m.bu...@lboro.ac.uk Sent: June-17-09 4:09 AM To: FreeRadius users mailing list Subject: Re: [rad] RE: Free Radius users record samples for SmartEdgerouter subcriberauthentication. Hi, > I still suggest: > >> abcUser-Password == "test" that is wrong. wrong and wrong Elias, please put your entry at the top of the users file - or remove the DEFAULT Auth-Type == System from your config (this forces the server to always use 'system' auth - which you really dont want) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [rad] RE: Free Radius users record samples for SmartEdgerouter subcriberauthentication.
On Tue, 16 Jun 2009, Elias Abou Zeid wrote: a...@radius Cleartext-Password := "test" Service-Type = Framed-User, Framed-Protocol = PPP Why do you specify a realm (@RADIUS)? Try removing it, or, as suggested by others, specift a default realm. users: Matched entry DEFAULT at line 152 users: Matched entry DEFAULT at line 171 users: Matched entry DEFAULT at line 183 These lines tell us that you have more rules in your users file than the one you list above. Taken at face value, looks like two rules with 'fall through' followed by one without. And it never gets to the rule for 'abc'. Remember that radius looks for the first matching rule in your users file. DEFAULT rules should go at the bottom. - Charles - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html