subject:"Issues with the users' file."

Issues with the users' file.

2003-12-24 Thread Drew Weaver

Greetings, happy holidays and all of that good stuff..

 I'm finally getting around to migrating our radius solution over to
FreeRadius, and I've noticed a few issues, hopefully they're easy. In my
users file I have around 45 users that have specific properties. Some of
them are Dedicated Dial-Up, some of them are Dual channel ISDN with static
IP, some of them are Dedicated Dual channel ISDN with static IP.. I'm having
some problems making my old users file entries jive with the freeradius
lingo.

test Password == "removedtoprotecttheinnocent"
Service-Type = Framed,
Framed-Protocol = MPP,
Ascend-Maximum-Time = 18000,
Framed-IP-Address = 209.22.201.121,
Framed-IP-Netmask = 255.255.255.248,
Ascend-Idle-Limit = 900,
Ascend-Maximum-Channels = 2,
Framed-Routing = None,
Fall-Through = "1"

DoomPassword == "thepassword"
Service-Type = Framed,
Framed-Protocol = MPP,
Ascend-Maximum-Time = 18000,
Framed-IP-Address = 209.54.37.66,
Framed-IP-Netmask = 255.255.255.255,
Ascend-Idle-Limit = 900,
Ascend-Maximum-Channels = 2,
Framed-Routing = None,  
Fall-Through = "1"

Now, 99% of my users use PAP, and authenticate via the SYSTEM
method, this works excellent. However it seems that anyone who has a
password listed in the users file automatically 'requires' CHAP, is there a
way to make it 'allow CHAP if it has a password in users, but not REQUIRE
chap?' We were using an old version of Merit AAA and (it didn't even support
chap) but when we had users listed in the users file, it would allow them to
auth via PAP just like everyone else. 

Another problem I noticed is that there is a difference in between
what FreeRadius should be sending back to the NAS and what it is sending
back to the NAS.

Example.

For the 'Doom' account.

The doom account is basically getting all of the attributes of the DEFAULT
account... but it should be using its own account specific attributes.

DEFAULT Auth-Type = System
Fall-Through = "1",
Service-Type = Framed-User,
Framed-IP-Address = 255.255.255.254,
Framed-MTU = 576,
Framed-Protocol = PPP,
Framed-Compression = Van-Jacobson-TCP-IP,
Ascend-Maximum-Time = 18000,
Ascend-Idle-Limit = 900,
Ascend-Maximum-Channels = 1

I have the default entry listed at the top of the file.

Anyone Have any ideas?

-Drew



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Issues with the users' file.

2003-12-24 Thread Alan DeKok

Drew Weaver <[EMAIL PROTECTED]> wrote:
>   Now, 99% of my users use PAP, and authenticate via the SYSTEM
> method, this works excellent. However it seems that anyone who has a
> password listed in the users file automatically 'requires' CHAP, is there a
> way to make it 'allow CHAP if it has a password in users, but not REQUIRE
> chap?'

  I don't see how it "requires" chap.  The server is set up to *allow*
the user to use CHAP, if there's a plain-text password available.  But
nothing in the server *requires* chap.

  I would suggest reading the debug output of the server.  It will
tell you why CHAP is being used.

> The doom account is basically getting all of the attributes of the DEFAULT
> account... but it should be using its own account specific attributes.

  Which is what you told it to do:

> DEFAULT Auth-Type = System
> Fall-Through = "1",
...
> I have the default entry listed at the top of the file.

  See the docs.  The Fall-Through attribute tells it to continue
processing the "users" file, where it then finds the "Doom" entry.

  Look at the sample "users" file.  There's a reason the DEFAULTS are
listed at the bottom.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Issues with the users' file.

Re: Issues with the users' file.

2 matches

Site Navigation

Mail list logo

Footer information