Re: [rad] RE: Free Radius users record samples for SmartEdge router subcriberauthentication.
Charles Gregory wrote: > Okay, this isn't just my favorite quibbler jumping on me. So I have to > ask, even if there is a 'better' syntax, or a 'preferred' way of doing > things, why is this 'standard' old radius check item so 'wrong'? The '==' operator should be *comparing* attributes. There should be no magic needed to compare attributes. Until 1.1.4, the code had magic specifically for User-Password. This kind of magic is wrong on many levels. It makes the code more complex, it is inconsistent, and it breaks the principle of "least surprise". In addition to that, many authentication methods do *not* contain a User-Password. So if we got rid of that magic without doing anything else, checking "User-Password == foo" for EAP requests will *always* fail. This will make administrators unhappy. There is a simple solution. Tell the server what the "known good" password is. Let the modules do the authentication. So the MS-CHAP module will take the "known good" password, do it's MS-CHAP calculations, and compare that to what's in the packet. The same goes for CHAP, EAP, and other authentication protocols. That's why we have Cleartext-Password, NT-Password, Crypt-Password, and others. Those are all different forms of the "known good" password. And because they are "server side" attributes, they will *never* go into a packet. This is a Good Thing. This argument is the same argument against using "Auth-Type = LDAP". LDAP is a *database*. Using it as an authentication server is *wrong*, because LDAP servers don't implement CHAP, MS-CHAP, EAP, etc. Until the documentation and examples were updated to SHOUT at people "don't use Auth-Type = LDAP", there were weekly complaints that people had followed some horrible third-party guide, and couldn't get EAP working. > I checked the docs, and it *appears* that checking an input attribute > value against a hard-coded constant is still valid syntax. Yes. And there is magic to deal with User-Password, so that it does what users expect, and *not* what is the "right" thing to do. > So why is Input-Attribute == "value" now wrong? It's not. Doing those comparisons on User-Password is wrong. *Unless* you want to break every authentication method other than PAP. > Or is '==' deprecated for all check items past a certain release? No. > If so, why is it still in the 'users' man page for 2.x? Because it works. > I finally noticed that "Cleartext-Password" is not an input attribute, Yes. It's a "check" attribute. See the "users" file documentation for how check attributes are treated. > which suggests that there is something 'different' about the way we're > now specifying input attribute checking in the users file. I don't doubt > that it 'makes sense' according to some new way of doing things, but it > looks like an amazing departure from 'classic' Livingston syntax Yes. The Livingston server was wrong. It had magic to deal with 'User-Password = foo', that made it work for CHAP authentication. This was (and still is) ugly. The Livingston server also read the entire "users" file into memory for *every* request. That behavior was wrong, too. The Livingston server didn't cache requests and responses, so it would re-process duplicates, causing unnecessary delays and load. See RFC 5080 for the *FreeRADIUS* way of doing things, which all RADIUS servers have now implemented. > If so, I'm *really* glad I didn't upgrade my live version. :-O Upgrading versions always requires care and attention. This is no different. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [rad] RE: Free Radius users record samples for SmartEdge router subcriberauthentication.
On Wed, 17 Jun 2009, a.l.m.bu...@lboro.ac.uk wrote: abcUser-Password == "test" that is wrong. wrong and wrong Okay, this isn't just my favorite quibbler jumping on me. So I have to ask, even if there is a 'better' syntax, or a 'preferred' way of doing things, why is this 'standard' old radius check item so 'wrong'? I checked the docs, and it *appears* that checking an input attribute value against a hard-coded constant is still valid syntax. Though I notice that the example that both Elias and I quote is *gone* from the 1.1.7 docs (Elias, please check, I think you have man pages and/or documentation from a version of FR earlier than your 1.1.7! This really confuses things!). So why is Input-Attribute == "value" now wrong? Is it just wrong for the Passwords? Groups? Or is '==' deprecated for all check items past a certain release? If so, why is it still in the 'users' man page for 2.x? I finally noticed that "Cleartext-Password" is not an input attribute, which suggests that there is something 'different' about the way we're now specifying input attribute checking in the users file. I don't doubt that it 'makes sense' according to some new way of doing things, but it looks like an amazing departure from 'classic' Livingston syntax If so, I'm *really* glad I didn't upgrade my live version. :-O - Charles - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [rad] RE: Free Radius users record samples for SmartEdge router subcriberauthentication.
Hi, > I still suggest: > >> abcUser-Password == "test" that is wrong. wrong and wrong Elias, please put your entry at the top of the users file - or remove the DEFAULT Auth-Type == System from your config (this forces the server to always use 'system' auth - which you really dont want) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [rad] RE: Free Radius users record samples for SmartEdge router subcriberauthentication.
Charles Gregory wrote: > On Tue, 16 Jun 2009, Elias Abou Zeid wrote: >> Sorry for the :=, == confusion. I was doing it right using ==. > > Neither is 'right' or 'wrong'. Using "User-Password == foo" is wrong. Using "Cleartext-Password := foo" is right. > You just need to be sure what you want to > achieve with them. I'm not a complete expert on this, so if in doubt, > try it *both* ways. (smile) One of them will work. How about suggesting that people follow the instructions on this list? He was already told multiple times what was right, and what was wrong. Do not give people incorrect advice. It means that they won't solve their problem, and it means that I now have *three* times the work to do. One, to tell them what to do. Two, to tell you your advice is mistaken, and three, to convince them to *not* follow your advice. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [rad] RE: Free Radius users record samples for SmartEdge router subcriberauthentication.
On Tue, 16 Jun 2009, Elias Abou Zeid wrote: Sorry for the :=, == confusion. I was doing it right using ==. Neither is 'right' or 'wrong'. You just need to be sure what you want to achieve with them. I'm not a complete expert on this, so if in doubt, try it *both* ways. (smile) One of them will work. I still suggest: abcUser-Password == "test" Service-Type = Framed-User, Framed-Protocol = PPP ...and make sure there are no default entries to interfere. :) - C - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Free Radius users record samples for SmartEdge router subcriberauthentication.
Elias Abou Zeid wrote: > Sorry for the :=, == confusion. I was doing it right using ==. No, using == is wrong. > So now I have: > > a...@radius User-Password == "test" That's wrong. > Now after enabling the radius -X, I get: ... > WARNING: Unprintable characters in the password. ? Double-check the > shared secret on the server and the NAS! > > So it seems the password radius is receiving is different that what I am > giving. I checked the shared secret between server and NAS, it matches! > I am not sure why ? The shared secrets do NOT match. This is in the FAQ. Don't check them. Re-enter them. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Free Radius users record samples for SmartEdge router subcriberauthentication.
Ok gentlmen, Sorry for the :=, == confusion. I was doing it right using ==. So now I have: a...@radius User-Password == "test" Service-Type = Framed-User, Framed-Protocol = PPP Now after enabling the radius -X, I get: rad_recv: Access-Request packet from host 10.205.1.1:1812, id=53, length=187 User-Name = "a...@radius" User-Password = "\361\305\244qY\303.N\331o\200>\027\236L\340" Service-Type = Framed-User Framed-Protocol = PPP NAS-Identifier = "Quiet" NAS-Port = 167903232 NAS-Real-Port = 2717909092 NAS-Port-Type = Virtual NAS-Port-Id = "10/2 vlan-id 100 pppoe 342" Medium-Type = DSL Mac-Addr = "00-0c-29-10-12-c3" Platform-Type = SmartEdge-800 OS-Version = "6.1.2.6p9" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 2 modcall[authorize]: module "preprocess" returns ok for request 2 radius_xlat: '/usr/local/var/log/radius/radacct/10.205.1.1/auth-detail-20090616' rlm_detail: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m% d expands to /usr/local/var/log/radius/radacct/10.205.1.1/auth-detail-20090616 modcall[authorize]: module "auth_log" returns ok for request 2 modcall[authorize]: module "chap" returns noop for request 2 modcall[authorize]: module "mschap" returns noop for request 2 rlm_realm: Looking up realm "RADIUS" for User-Name = "a...@radius" rlm_realm: No such realm "RADIUS" modcall[authorize]: module "suffix" returns noop for request 2 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 2 users: Matched entry DEFAULT at line 152 users: Matched entry DEFAULT at line 171 users: Matched entry DEFAULT at line 183 modcall[authorize]: module "files" returns ok for request 2 modcall: leaving group authorize (returns ok) for request 2 rad_check_password: Found Auth-Type System auth: type "System" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 2 modcall[authenticate]: module "unix" returns notfound for request 2 modcall: leaving group authenticate (returns notfound) for request 2 auth: Failed to validate the user. Login incorrect: [...@radius/\361\305\244qY\303.N\331o\200>\027\236L\340] (from client SE-Quiet port 167903232) WARNING: Unprintable characters in the password. ? Double-check the shared secret on the server and the NAS! So it seems the password radius is receiving is different that what I am giving. I checked the shared secret between server and NAS, it matches! I am not sure why ? Elias -Original Message- From: freeradius-users-bounces+elias.abou.zeid=ericsson....@lists.freeradius.o rg [mailto:freeradius-users-bounces+elias.abou.zeid=ericsson@lists.free radius.org] On Behalf Of Alan DeKok Sent: June-16-09 11:44 AM To: FreeRadius users mailing list Subject: Re: Free Radius users record samples for SmartEdge router subcriberauthentication. Elias Abou Zeid wrote: > I am trying a simple authenticate pppoe subscriber in radius server (v > 1.188.2.4.2.11) That's a CVS revision string. If it's in the binary you have, you're running 1.1.x. Your server is more than 2 years out of date. > for subscribers coming through Redback SmartEdge 800 router. As I am > new to this I am looked for some examples for users configuration on > RADIUS but could not find. Version 2.1 has greatly improved documentation, including many examples. > I have tried something out > but seems missing certain stuff: > > abc Auth-Type := Local, Password == "passwd" In 1.1.7: abs Cleartext-Password := "passwd" Don't set Auth-Type. > Service-Type = Framed-User, > Framed-Protocol = PPP, > Bind_Auth_Context = RADIUS > > Thanks for refering me to some examples. And what does the server say when you run it with "radiusd -X"? This is in the FAQ, README, "man" page, and nearly daily on this list. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [rad] RE: Free Radius users record samples for SmartEdge router subcriberauthentication.
Hi, > > thats true for 1.1.6 (iirc) upwards > > 1.1.4 and later. my how time really flies. I've just been updating some boilerplate/logo/copyright stuff on some code tonight that was all 2004. sheesh. its a nostalgic evening. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [rad] RE: Free Radius users record samples for SmartEdge router subcriberauthentication.
Hi, > According to the 'users' man page (man 5 users): >Attribute := Value > Always matches as a check item, and replaces in the > configuration items any attribute of the same name. as a check item - you wont have two passwords in a request. if there was such a condition then it would be sorted. > Requests containing the User-Name attribute, with value > "bob", will be authenticated using the password "bob". > > Which is, I think, a typo. It should say "authenticated with the password > "hello", shouldn't it? yep - dont worry, the typo also crept into the WIKI http://wiki.freeradius.org/Operators EXAMPLES bob Cleartext-Password := "hello" Requests containing the User-Name attribute, with value "bob", will be authenticated using the password "bob". There are no reply items, so the reply will be empty. should be EXAMPLES bob Cleartext-Password := "hello" Requests containing the User-Name attribute, with value "bob", will be authenticated using the password "hello". There are no reply items, so the reply will be empty. but at least the operator is right. its good to have a new proof reader on board! ;-) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [rad] RE: Free Radius users record samples for SmartEdge router subcriberauthentication.
a.l.m.bu...@lboro.ac.uk wrote: > abc Cleartext-Password := "passwd" > > > thats true for 1.1.6 (iirc) upwards 1.1.4 and later. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [rad] RE: Free Radius users record samples for SmartEdge router subcriberauthentication.
On Tue, 16 Jun 2009, a.l.m.bu...@lboro.ac.uk wrote: abc User-Password == "passwd" huh? abc Cleartext-Password := "passwd" thats true for 1.1.6 (iirc) upwards My turn to 'huh?'. According to the 'users' man page (man 5 users): Attribute := Value Always matches as a check item, and replaces in the configuration items any attribute of the same name. My impression from the OP's first use of "==" was that he was hard-coding the password into the users file. So wouldn't the above code 'replace' the password, producing an 'always authenticates' kind of condition? The example in the users man itself is: EXAMPLES bob User-Password == "hello" Requests containing the User-Name attribute, with value "bob", will be authenticated using the password "bob". Which is, I think, a typo. It should say "authenticated with the password "hello", shouldn't it? - Charles - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [rad] RE: Free Radius users record samples for SmartEdge router subcriberauthentication.
Hi, > abc User-Password == "passwd" huh? abc Cleartext-Password := "passwd" thats true for 1.1.6 (iirc) upwards alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [rad] RE: Free Radius users record samples for SmartEdge router subcriberauthentication.
On Tue, 16 Jun 2009, Elias Abou Zeid wrote: I tried the different suggestions but I still get authentication login incorrect eventhough the username and password passed by the Redback router are correct and as filled in subscribers record On Radius server. a...@radius User-Password := "passwd" This syntax SETS the User-Password attribute. It's almost like saying "accept any password and replace it with this value". Please review "man 5 users" for the use of "=", ":=", et al. Have you tried: abc User-Password == "passwd" Service-Type = Framed-User, Framed-Protocol = PPP I don't know what this next line does, so unless *you* do, may I suggest leaving it out while testing? Bind_Auth_Context = RADIUS - Charles - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Free Radius users record samples for SmartEdge router subcriberauthentication.
Elias Abou Zeid wrote: > I tried the different suggestions but I still get authentication login > incorrect eventhough the username and password passed by the Redback > router are correct and as filled in subscribers record > On Radius server. > > a...@radius User-Password := "passwd" You have not used the configuration I suggested. Why? > Service-Type = Framed-User, > Framed-Protocol = PPP, > Bind_Auth_Context = RADIUS > > Tue Jun 16 13:36:10 2009 : Auth: Login incorrect: > [...@radius/\032\204\2639\024\033\033\021[\371s\212\323\031\366x] (from > client SE-Quiet port 167903232) Run the server in debugging mode, as I suggested. It will tell you what's going wrong: The shared secret is WRONG. You need to fix the shared secret. You need to follow the instructions on this list. Nothing else will fix the problem. > Please advice. We did. You did not follow instructions. Why do you ask for advice if you don't follow the advice you're given? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Free Radius users record samples for SmartEdge router subcriberauthentication.
I tried the different suggestions but I still get authentication login incorrect eventhough the username and password passed by the Redback router are correct and as filled in subscribers record On Radius server. a...@radius User-Password := "passwd" Service-Type = Framed-User, Framed-Protocol = PPP, Bind_Auth_Context = RADIUS Tue Jun 16 13:36:10 2009 : Auth: Login incorrect: [...@radius/\032\204\2639\024\033\033\021[\371s\212\323\031\366x] (from client SE-Quiet port 167903232) Tue Jun 16 13:36:20 2009 : Auth: Login incorrect: [...@radius/\032\204\2639\024\033\033\021[\371s\212\323\031\366x] (from client SE-Quiet port 167903232) Tue Jun 16 13:36:30 2009 : Auth: Login incorrect: [...@radius/\032\204\2639\024\033\033\021[\371s\212\323\031\366x] (from client SE-Quiet port 167903232) I decoded the packest sent by Redback router to RADiUS: Authenticator Field: 46 49 cf c2 77 d5 3f e3 d6 16 32 91 7c 35 16 87 User-Name: a...@radius User-Password: 55 df f0 56 30 d1 c0 ed de b9 26 1c 95 48 c5 69 Service-Type: Framed-User (2) Framed-Protocol: PPP (1) NAS-Identifier: Quiet NAS-Port: 0x0a02 RBN:NAS-Real-Port: 0xa264 NAS-Port-Type: Virtual (5) NAS-Port-Id: 10/2 vlan-id 100 pppoe 334 RBN:Medium-Type: DSL (11) RBN:MAC-Address: 00-0c-29-10-12-c3 RBN:Platform-Type: SE-800 (2) RBN:OS-Version: 6.1.2.6p9 And response of Radius: Authenticator Field: 90 1f 01 e2 ab cd 2d 30 ef 45 df 4e 66 eb e7 9e Please advice. Thanks, Elias -Original Message- From: freeradius-users-bounces+elias.abou.zeid=ericsson@lists.freeradius.o rg [mailto:freeradius-users-bounces+elias.abou.zeid=ericsson@lists.free radius.org] On Behalf Of Alan DeKok Sent: June-16-09 11:44 AM To: FreeRadius users mailing list Subject: Re: Free Radius users record samples for SmartEdge router subcriberauthentication. Elias Abou Zeid wrote: > I am trying a simple authenticate pppoe subscriber in radius server (v > 1.188.2.4.2.11) That's a CVS revision string. If it's in the binary you have, you're running 1.1.x. Your server is more than 2 years out of date. > for subscribers coming through Redback SmartEdge 800 router. As I am > new to this I am looked for some examples for users configuration on > RADIUS but could not find. Version 2.1 has greatly improved documentation, including many examples. > I have tried something out > but seems missing certain stuff: > > abc Auth-Type := Local, Password == "passwd" In 1.1.7: abs Cleartext-Password := "passwd" Don't set Auth-Type. > Service-Type = Framed-User, > Framed-Protocol = PPP, > Bind_Auth_Context = RADIUS > > Thanks for refering me to some examples. And what does the server say when you run it with "radiusd -X"? This is in the FAQ, README, "man" page, and nearly daily on this list. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html