RE: CIsco Pix and FreeRadius....
Read the comments in radiusd.conf. [EMAIL PROTECTED] 1/18/2006 10:49:23 am Done that fixed the issueNow I want to use ldap with freeradius is that possible? Tripp Sills Senior Network Engineer - Information Technology [EMAIL PROTECTED] Direct Mail Express 2441 Bellevue Avenue Extension Daytona Beach, FL Office # (386) 271 - 3288 Cell# (386) 566 - 4053 Fax# (386) 271 - 3289 The information in this Internet e-mail, including attachments, is confidential and may be legally privileged. It is intended solely for the addressee. Access by any other person to this Internet e-mail is not authorized. If you are not the intended recipient, please delete this Internet e-mail and notify me by return e-mail or at (386) 271-3288. Any unauthorized disclosure of the parties to this e-mail, and any unauthorized disclosure, dissemination, distribution, copying, or any action taken or omitted to be taken in reliance on this email, including attachments, is prohibited and may be unlawful. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Wednesday, January 18, 2006 11:22 AM To: FreeRadius users mailing list Subject: Re: CIsco Pix and FreeRadius Sills, Tripp [EMAIL PROTECTED] wrote: I am not altering the users file all I have in it is : I was using the same username and password for both. Below is my users file. Perhaps I was unclear. *YOU* should read the users file and compare it's entries to what's in the debug log. If you don't understand what you configured or how it works, then you're never going to solve the problem. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: CIsco Pix and FreeRadius....
file). # # Note that by setting Fall-Through, other attributes will be added from # the following DEFAULT entries # #swilsonService-Type == Framed-User, Huntgroup-Name == alphen # Framed-IP-Address = 192.168.1.65, # Fall-Through = Yes # # If the user logs in as 'username.shell', then authenticate them # against the system database, give them shell access, and stop processing # the rest of the file. # #DEFAULTSuffix == .shell, Auth-Type := System # Service-Type = Login-User, # Login-Service = Telnet, # Login-IP-Host = your.shell.machine # # The rest of this file contains the several DEFAULT entries. # DEFAULT entries match with all login names. # Note that DEFAULT entries can also Fall-Through (see first entry). # A name-value pair from a DEFAULT entry will _NEVER_ override # an already existing name-value pair. # # # First setup all accounts to be checked against the UNIX /etc/passwd. # (Unless a password was already given earlier in this file). # #DEFAULTAuth-Type = System # Fall-Through = 1 # # Set up different IP address pools for the terminal servers. # Note that the + behind the IP address means that this is the base # IP address. The Port-Id (S0, S1 etc) will be added to it. # #DEFAULTService-Type == Framed-User, Huntgroup-Name == alphen # Framed-IP-Address = 192.168.1.32+, # Fall-Through = Yes #DEFAULTService-Type == Framed-User, Huntgroup-Name == delft # Framed-IP-Address = 192.168.2.32+, # Fall-Through = Yes # # Defaults for all framed connections. # DEFAULT Service-Type == Framed-User Framed-IP-Address = 255.255.255.254, Framed-MTU = 576, Service-Type = Framed-User, Fall-Through = Yes # # Default for PPP: dynamic IP address, PPP mode, VJ-compression. # NOTE: we do not use Hint = PPP, since PPP might also be auto-detected # by the terminal server in which case there may not be a P suffix. # The terminal server sends Framed-Protocol = PPP for auto PPP. # DEFAULT Framed-Protocol == PPP Framed-Protocol = PPP, Framed-Compression = Van-Jacobson-TCP-IP # # Default for CSLIP: dynamic IP address, SLIP mode, VJ-compression. # DEFAULT Hint == CSLIP Framed-Protocol = SLIP, Framed-Compression = Van-Jacobson-TCP-IP # # Default for SLIP: dynamic IP address, SLIP mode. # DEFAULT Hint == SLIP Framed-Protocol = SLIP # # Last default: rlogin to our main server. # #DEFAULT # Service-Type = Login-User, # Login-Service = Rlogin, # Login-IP-Host = shellbox.ispdomain.com # # # # Last default: shell on the local terminal server. # # # DEFAULT # Service-Type = Shell-User # On no match, the user is denied access. tripp Auth-Type := Local, User-Password == tripp tripp1 Auth-Type := System, User-Password == tripp1 Tripp Sills Senior Network Engineer - Information Technology [EMAIL PROTECTED] Direct Mail Express 2441 Bellevue Avenue Extension Daytona Beach, FL Office # (386) 271 - 3288 Cell# (386) 566 - 4053 Fax# (386) 271 - 3289 The information in this Internet e-mail, including attachments, is confidential and may be legally privileged. It is intended solely for the addressee. Access by any other person to this Internet e-mail is not authorized. If you are not the intended recipient, please delete this Internet e-mail and notify me by return e-mail or at (386) 271-3288. Any unauthorized disclosure of the parties to this e-mail, and any unauthorized disclosure, dissemination, distribution, copying, or any action taken or omitted to be taken in reliance on this email, including attachments, is prohibited and may be unlawful. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Tuesday, January 17, 2006 1:32 PM To: FreeRadius users mailing list Subject: Re: CIsco Pix and FreeRadius Sills, Tripp [EMAIL PROTECTED] wrote: Notice the first request that comes from the 10.2.0.69...It is using the test aaa-server from the PIX itself. The other 2 are when I am connecting to the VPN client and trying to authenicate. It says Auth Type unknown. Any ideas Alan? The only differences is in which entries it matches in the users file. Read those entries to see what it's doing, and why. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: CIsco Pix and FreeRadius....
request list --- Sending Access-Reject of id 92 to 10.2.0.69:1025 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 4 ID 92 with timestamp 43ce5314 Nothing to do. Sleeping until we see a request. rad_recv: Access-Request packet from host 10.2.0.69:1025, id=93, length=154 User-Name = tripp User-Password = tripp NAS-Port = 755 Service-Type = Framed-User Framed-Protocol = PPP Called-Station-Id = 68.208.135.26 Calling-Station-Id = 24.73.134.236 Tunnel-Client-Endpoint:0 = 24.73.134.236 NAS-IP-Address = 10.2.0.69 NAS-Port-Type = Virtual Cisco-AVPair = ip:source-ip=24.73.134.236 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 5 modcall[authorize]: module preprocess returns ok for request 5 modcall[authorize]: module chap returns noop for request 5 modcall[authorize]: module mschap returns noop for request 5 rlm_realm: No '@' in User-Name = tripp, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 5 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 5 users: Matched entry DEFAULT at line 179 users: Matched entry DEFAULT at line 191 modcall[authorize]: module files returns ok for request 5 modcall: group authorize returns ok for request 5 auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. Login incorrect: [tripp/tripp] (from client BorderPatrol port 755 cli 24.73.134.236) Delaying request 5 for 1 seconds Finished request 5 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 93 to 10.2.0.69:1025 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 5 ID 93 with timestamp 43ce531c Nothing to do. Sleeping until we see a request. Terminate batch job (Y/N)? Tripp Sills Senior Network Engineer - Information Technology [EMAIL PROTECTED] Direct Mail Express 2441 Bellevue Avenue Extension Daytona Beach, FL Office # (386) 271 - 3288 Cell# (386) 566 - 4053 Fax# (386) 271 - 3289 The information in this Internet e-mail, including attachments, is confidential and may be legally privileged. It is intended solely for the addressee. Access by any other person to this Internet e-mail is not authorized. If you are not the intended recipient, please delete this Internet e-mail and notify me by return e-mail or at (386) 271-3288. Any unauthorized disclosure of the parties to this e-mail, and any unauthorized disclosure, dissemination, distribution, copying, or any action taken or omitted to be taken in reliance on this email, including attachments, is prohibited and may be unlawful. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sills, Tripp Sent: Wednesday, January 18, 2006 9:12 AM To: FreeRadius users mailing list Subject: RE: CIsco Pix and FreeRadius I am not altering the users file all I have in it is : I was using the same username and password for both. Below is my users file. # # Please read the documentation file ../doc/processing_users_file, # or 'man 5 users' (after installing the server) for more information. # # This file contains authentication security and configuration # information for each user. Accounting requests are NOT processed # through this file. Instead, see 'acct_users', in this directory. # # The first field is the user's name and can be up to # 253 characters in length. This is followed (on the same line) with # the list of authentication requirements for that user. This can # include password, comm server name, comm server port number, protocol # type (perhaps set by the hints file), and huntgroup name (set by # the huntgroups file). # # If you are not sure why a particular reply is being sent by the # server, then run the server in debugging mode (radiusd -X), and # you will see which entries in this file are matched. # # When an authentication request is received from the comm server, # these values are tested. Only the first match is used unless the # Fall-Through variable is set to Yes. # # A special user named DEFAULT matches on all usernames. # You can have several DEFAULT entries. All entries are processed # in the order they appear in this file. The first entry that # matches the login-request will stop processing unless you use # the Fall-Through variable. # # If you use the database support to turn this file into a .db or .dbm # file, the DEFAULT entries _have_ to be at the end of this file
Re: CIsco Pix and FreeRadius....
On Wednesday 18 January 2006 09:40, Sills, Tripp wrote: users: Matched entry DEFAULT at line 179 users: Matched entry DEFAULT at line 191 From the users file you can read: # If you are not sure why a particular reply is being sent by the # server, then run the server in debugging mode (radiusd -X), and # you will see which entries in this file are matched. # # When an authentication request is received from the comm server, # these values are tested. Only the first match is used unless the # Fall-Through variable is set to Yes. # # A special user named DEFAULT matches on all usernames. # You can have several DEFAULT entries. All entries are processed # in the order they appear in this file. The first entry that # matches the login-request will stop processing unless you use # the Fall-Through variable. You aren't matching tripp. Put your entries at the top or comment out all the DEFAULT entries you don't care about. Zoltan Ori - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: CIsco Pix and FreeRadius....
Sills, Tripp [EMAIL PROTECTED] wrote: I am not altering the users file all I have in it is : I was using the same username and password for both. Below is my users file. Perhaps I was unclear. *YOU* should read the users file and compare it's entries to what's in the debug log. If you don't understand what you configured or how it works, then you're never going to solve the problem. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: CIsco Pix and FreeRadius....
Does freeradius offer authorization as well. I am trying to use the filter-id attribute. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Zoltan Ori Sent: Wednesday, January 18, 2006 11:08 AM To: FreeRadius users mailing list Subject: Re: CIsco Pix and FreeRadius On Wednesday 18 January 2006 09:40, Sills, Tripp wrote: users: Matched entry DEFAULT at line 179 users: Matched entry DEFAULT at line 191 From the users file you can read: # If you are not sure why a particular reply is being sent by the # server, then run the server in debugging mode (radiusd -X), and # you will see which entries in this file are matched. # # When an authentication request is received from the comm server, # these values are tested. Only the first match is used unless the # Fall-Through variable is set to Yes. # # A special user named DEFAULT matches on all usernames. # You can have several DEFAULT entries. All entries are processed # in the order they appear in this file. The first entry that # matches the login-request will stop processing unless you use # the Fall-Through variable. You aren't matching tripp. Put your entries at the top or comment out all the DEFAULT entries you don't care about. Zoltan Ori - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: CIsco Pix and FreeRadius....
Done that fixed the issueNow I want to use ldap with freeradius is that possible? Tripp Sills Senior Network Engineer - Information Technology [EMAIL PROTECTED] Direct Mail Express 2441 Bellevue Avenue Extension Daytona Beach, FL Office # (386) 271 - 3288 Cell# (386) 566 - 4053 Fax# (386) 271 - 3289 The information in this Internet e-mail, including attachments, is confidential and may be legally privileged. It is intended solely for the addressee. Access by any other person to this Internet e-mail is not authorized. If you are not the intended recipient, please delete this Internet e-mail and notify me by return e-mail or at (386) 271-3288. Any unauthorized disclosure of the parties to this e-mail, and any unauthorized disclosure, dissemination, distribution, copying, or any action taken or omitted to be taken in reliance on this email, including attachments, is prohibited and may be unlawful. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Wednesday, January 18, 2006 11:22 AM To: FreeRadius users mailing list Subject: Re: CIsco Pix and FreeRadius Sills, Tripp [EMAIL PROTECTED] wrote: I am not altering the users file all I have in it is : I was using the same username and password for both. Below is my users file. Perhaps I was unclear. *YOU* should read the users file and compare it's entries to what's in the debug log. If you don't understand what you configured or how it works, then you're never going to solve the problem. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: CIsco Pix and FreeRadius....
for request 2 rlm_realm: No '@' in User-Name = tripp, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 2 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 2 users: Matched entry DEFAULT at line 179 users: Matched entry DEFAULT at line 191 modcall[authorize]: module files returns ok for request 2 modcall: group authorize returns ok for request 2 auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. Login incorrect: [tripp/tripp] (from client BorderPatrol port 739 cli 24.73.134.236) Delaying request 2 for 1 seconds Finished request 2 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 87 to 10.2.0.69:1025 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 2 ID 87 with timestamp 43cd2740 Nothing to do. Sleeping until we see a request. Terminate batch job (Y/N)? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Monday, January 16, 2006 10:33 PM To: FreeRadius users mailing list Subject: Re: CIsco Pix and FreeRadius Sills, Tripp [EMAIL PROTECTED] wrote: It says Auth-Type found Local but when I run with the VPN client it says unknown auth type. Please any help would be great! Help us help you. Read the README, INSTALL, and FAQ. Then follow the instructions there for debugging the server. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: CIsco Pix and FreeRadius....
Sills, Tripp [EMAIL PROTECTED] wrote: Notice the first request that comes from the 10.2.0.69...It is using the test aaa-server from the PIX itself. The other 2 are when I am connecting to the VPN client and trying to authenicate. It says Auth Type unknown. Any ideas Alan? The only differences is in which entries it matches in the users file. Read those entries to see what it's doing, and why. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: CIsco Pix and FreeRadius....
Sills, Tripp [EMAIL PROTECTED] wrote: It says Auth-Type found Local but when I run with the VPN client it says unknown auth type. Please any help would be great! Help us help you. Read the README, INSTALL, and FAQ. Then follow the instructions there for debugging the server. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html