RE: [rad] RE: Free Radius users record samples for SmartEdgerouter subcriberauthentication.
Hi Ivan,
I used the following user record:
a...@radius User-Password == "test"
Service-Type = Framed-User,
Framed-Protocol = PPP
And I sent a CHAP request, authentication still work.
rad_recv: Access-Request packet from host 10.205.1.1:1812, id=212,
length=188
User-Name = "a...@radius"
CHAP-Password = 0x01fb483b2d567fd0e128500a3ce0980d0b
Service-Type = Framed-User
Framed-Protocol = PPP
NAS-Identifier = "Quiet"
NAS-Port = 167903232
NAS-Real-Port = 2717909092
NAS-Port-Type = Virtual
NAS-Port-Id = "10/2 vlan-id 100 pppoe 372"
Medium-Type = DSL
Mac-Addr = "00-0c-29-10-12-c3"
Platform-Type = SmartEdge-800
OS-Version = "6.1.2.6p9"
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
radius_xlat:
'/usr/local/var/log/radius/radacct/10.205.1.1/auth-detail-20090617'
rlm_detail:
/usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%
d expands to
/usr/local/var/log/radius/radacct/10.205.1.1/auth-detail-20090617
modcall[authorize]: module "auth_log" returns ok for request 0
rlm_chap: Setting 'Auth-Type := CHAP'
modcall[authorize]: module "chap" returns ok for request 0
modcall[authorize]: module "mschap" returns noop for request 0
rlm_realm: Looking up realm "RADIUS" for User-Name = "a...@radius"
rlm_realm: No such realm "RADIUS"
modcall[authorize]: module "suffix" returns noop for request 0
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module "eap" returns noop for request 0
users: Matched entry a...@radius at line 148
modcall[authorize]: module "files" returns ok for request 0
modcall: leaving group authorize (returns ok) for request 0
rad_check_password: Found Auth-Type CHAP
auth: type "CHAP"
Processing the authenticate section of radiusd.conf
modcall: entering group CHAP for request 0
rlm_chap: login attempt by "a...@radius" with CHAP password
rlm_chap: Using clear text password "test" for user a...@radius
authentication.
rlm_chap: chap user a...@radius authenticated succesfully
modcall[authenticate]: module "chap" returns ok for request 0
modcall: leaving group CHAP (returns ok) for request 0
Login OK: [...@radius/] (from client SE-Quiet port
167903232)
Processing the post-auth section of radiusd.conf
modcall: entering group post-auth for request 0
rlm_ippool: Could not find Pool-Name attribute.
modcall[post-auth]: module "main_pool" returns noop for request 0
radius_xlat:
'/usr/local/var/log/radius/radacct/10.205.1.1/reply-detail-20090617'
rlm_detail:
/usr/local/var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m
%d expands to
/usr/local/var/log/radius/radacct/10.205.1.1/reply-detail-20090617
modcall[post-auth]: module "reply_log" returns ok for request 0
modcall: leaving group post-auth (returns ok) for request 0
Sending Access-Accept of id 212 to 10.205.1.1 port 1812
Service-Type = Framed-User
Framed-Protocol = PPP
Finished request 0
-Original Message-
From:
freeradius-users-bounces+elias.abou.zeid=ericsson....@lists.freeradius.o
rg
[mailto:freeradius-users-bounces+elias.abou.zeid=ericsson@lists.free
radius.org] On Behalf Of Ivan Kalik
Sent: June-17-09 11:02 AM
To: FreeRadius users mailing list
Subject: RE: [rad] RE: Free Radius users record samples for
SmartEdgerouter subcriberauthentication.
> Just out for sake of completeness. On FreeRADIUS Version 1.1.7
>
> I tried both User-Password == "test" and Cleartext-Password := "test".
>
> They both work fine when the user entry is before default setting in
> users file.
For a pap request. Try sending chap or mschap request and see what
happens. Cleartext-Password will work with all cases, User-Password
won't.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [rad] RE: Free Radius users record samples for SmartEdgerouter subcriberauthentication.
On Wed, 17 Jun 2009, Elias Abou Zeid wrote: Just out for sake of completeness. On FreeRADIUS Version 1.1.7 I tried both User-Password == "test" and Cleartext-Password := "test". They both work fine when the user entry is before default setting in users file. Just to let you know. Elias Thank you, Elias. - Charles - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: [rad] RE: Free Radius users record samples for SmartEdgerouter subcriberauthentication.
> Just out for sake of completeness. On FreeRADIUS Version 1.1.7 > > I tried both User-Password == "test" and Cleartext-Password := "test". > > They both work fine when the user entry is before default setting in > users file. For a pap request. Try sending chap or mschap request and see what happens. Cleartext-Password will work with all cases, User-Password won't. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [rad] RE: Free Radius users record samples for SmartEdgerouter subcriberauthentication.
Elias Abou Zeid wrote: > Just out for sake of completeness. On FreeRADIUS Version 1.1.7 > > I tried both User-Password == "test" and Cleartext-Password := "test". > > They both work fine when the user entry is before default setting in > users file. Yes. Because *old* versions of the server accepted 'User-Password ==', and not 'Cleartext-Password :='. We try to keep compatibility between versions of the server. Even with that, 'User-Password ==' is wrong. It's been wrong for nearly three years now. Any blog, web page, "howto", etc. that suggests it is wrong, and is out of date. At some point, that backwards compatibility will be removed. Any systems still using "User-Password ==" will then *break*. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: [rad] RE: Free Radius users record samples for SmartEdgerouter subcriberauthentication.
Hi, Just out for sake of completeness. On FreeRADIUS Version 1.1.7 I tried both User-Password == "test" and Cleartext-Password := "test". They both work fine when the user entry is before default setting in users file. Just to let you know. Elias -Original Message- From: freeradius-users-bounces+elias.abou.zeid=ericsson@lists.freeradius.o rg [mailto:freeradius-users-bounces+elias.abou.zeid=ericsson@lists.free radius.org] On Behalf Of a.l.m.bu...@lboro.ac.uk Sent: June-17-09 4:09 AM To: FreeRadius users mailing list Subject: Re: [rad] RE: Free Radius users record samples for SmartEdgerouter subcriberauthentication. Hi, > I still suggest: > >> abcUser-Password == "test" that is wrong. wrong and wrong Elias, please put your entry at the top of the users file - or remove the DEFAULT Auth-Type == System from your config (this forces the server to always use 'system' auth - which you really dont want) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: [rad] RE: Free Radius users record samples for SmartEdgerouter subcriberauthentication.
Alan, It worked after I put my user entry before DEFAULT Auth-Type == System. Thanks for your help, Elias -Original Message- From: freeradius-users-bounces+elias.abou.zeid=ericsson@lists.freeradius.o rg [mailto:freeradius-users-bounces+elias.abou.zeid=ericsson@lists.free radius.org] On Behalf Of a.l.m.bu...@lboro.ac.uk Sent: June-17-09 4:09 AM To: FreeRadius users mailing list Subject: Re: [rad] RE: Free Radius users record samples for SmartEdgerouter subcriberauthentication. Hi, > I still suggest: > >> abcUser-Password == "test" that is wrong. wrong and wrong Elias, please put your entry at the top of the users file - or remove the DEFAULT Auth-Type == System from your config (this forces the server to always use 'system' auth - which you really dont want) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Free Radius users record samples for SmartEdgerouter subcriberauthentication.
Elias Abou Zeid wrote: > The version info is: > radiusd: FreeRADIUS Version 1.1.7, for host sparc-sun-solaris2.10, built > on Jan 8 2008 at 00:54:01 > Copyright (C) 2000-2007 The FreeRADIUS server project. So the suggestions should work. > I added in users: Auth-Type := Local, Do NOT do that. See the FAQ for other examples of adding a default user. Your entry should go at the TOP of the "users" file. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [rad] RE: Free Radius users record samples for SmartEdgerouter subcriberauthentication.
On Tue, 16 Jun 2009, Elias Abou Zeid wrote: a...@radius Cleartext-Password := "test" Service-Type = Framed-User, Framed-Protocol = PPP Why do you specify a realm (@RADIUS)? Try removing it, or, as suggested by others, specift a default realm. users: Matched entry DEFAULT at line 152 users: Matched entry DEFAULT at line 171 users: Matched entry DEFAULT at line 183 These lines tell us that you have more rules in your users file than the one you list above. Taken at face value, looks like two rules with 'fall through' followed by one without. And it never gets to the rule for 'abc'. Remember that radius looks for the first matching rule in your users file. DEFAULT rules should go at the bottom. - Charles - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Free Radius users record samples for SmartEdgerouter subcriberauthentication.
Hi Ivan,
The version info is:
radiusd: FreeRADIUS Version 1.1.7, for host sparc-sun-solaris2.10, built
on Jan 8 2008 at 00:54:01
Copyright (C) 2000-2007 The FreeRADIUS server project.
I added in users: Auth-Type := Local,
But still same debug result:
Ready to process requests.
rad_recv: Access-Request packet from host 10.205.1.1:1812, id=4,
length=187
User-Name = "a...@radius"
User-Password = "test"
Service-Type = Framed-User
Framed-Protocol = PPP
NAS-Identifier = "Quiet"
NAS-Port = 167903232
NAS-Real-Port = 2717909092
NAS-Port-Type = Virtual
NAS-Port-Id = "10/2 vlan-id 100 pppoe 348"
Medium-Type = DSL
Mac-Addr = "00-0c-29-10-12-c3"
Platform-Type = SmartEdge-800
OS-Version = "6.1.2.6p9"
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
radius_xlat:
'/usr/local/var/log/radius/radacct/10.205.1.1/auth-detail-20090616'
rlm_detail:
/usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%
d expands to
/usr/local/var/log/radius/radacct/10.205.1.1/auth-detail-20090616
modcall[authorize]: module "auth_log" returns ok for request 0
modcall[authorize]: module "chap" returns noop for request 0
modcall[authorize]: module "mschap" returns noop for request 0
rlm_realm: Looking up realm "RADIUS" for User-Name = "a...@radius"
rlm_realm: No such realm "RADIUS"
modcall[authorize]: module "suffix" returns noop for request 0
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module "eap" returns noop for request 0
users: Matched entry DEFAULT at line 152
users: Matched entry DEFAULT at line 171
users: Matched entry DEFAULT at line 183
modcall[authorize]: module "files" returns ok for request 0
modcall: leaving group authorize (returns ok) for request 0
rad_check_password: Found Auth-Type System
auth: type "System"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 0
modcall[authenticate]: module "unix" returns notfound for request 0
modcall: leaving group authenticate (returns notfound) for request 0
auth: Failed to validate the user.
Login incorrect: [...@radius/test] (from client SE-Quiet port 167903232)
Delaying request 0 for 1 seconds
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Sending Access-Reject of id 4 to 10.205.1.1 port 1812
Waking up in 4 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 4 with timestamp 4a380fa8
Nothing to do. Sleeping until we see a request.
Any other ideas ?
BR,
Elias
-Original Message-
From:
freeradius-users-bounces+elias.abou.zeid=ericsson@lists.freeradius.o
rg
[mailto:freeradius-users-bounces+elias.abou.zeid=ericsson@lists.free
radius.org] On Behalf Of Ivan Kalik
Sent: June-16-09 5:28 PM
To: FreeRadius users mailing list
Subject: RE: Free Radius users record samples for SmartEdgerouter
subcriberauthentication.
> Now the subscriber config on Radius is as follows:
>
> a...@radius Cleartext-Password := "test"
> Service-Type = Framed-User,
> Framed-Protocol = PPP
Are you sure you are changing the correct users file? I don't see this
entry in the debug. Do you know what server version you are using? Do
radiusd -v if you don't. This debug looks older than 1.1.4.
>>From redius debug:
> rad_recv: Access-Request packet from host 10.205.1.1:1812, id=3,
> length=187
> User-Name = "a...@radius"
> User-Password = "test"
> Service-Type = Framed-User
> Framed-Protocol = PPP
> NAS-Identifier = "Quiet"
> NAS-Port = 167903232
> NAS-Real-Port = 2717909092
> NAS-Port-Type = Virtual
> NAS-Port-Id = "10/2 vlan-id 100 pppoe 347"
> Medium-Type = DSL
> Mac-Addr = "00-0c-29-10-12-c3"
> Platform-Type = SmartEdge-800
> OS-Version = "6.1.2.6p9"
> Processing the authorize section of radiusd.conf
> modcall: entering group authorize for request 0
> modcall[authorize]: module "preprocess" returns ok for request 0
> radius_xlat:
> '/usr/local/var/log/radius/radacct/10.205.1.1/auth-detail-20090616'
> rlm_detail:
> /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%
> m%
> d expands to
> /usr/local/var/log/radius/radacct/10.205.1.1/aut
Re: Free Radius users record samples for SmartEdgerouter subcriberauthentication.
On Jun 16, 2009, at 1:37 PM, Elias Abou Zeid wrote:
Ok, I have removed encrypted-key in Redback router which was causing
issue about shared secrets.
Now the subscriber config on Radius is as follows:
a...@radius Cleartext-Password := "test"
Service-Type = Framed-User,
Framed-Protocol = PPP
From redius debug:
rlm_realm: Looking up realm "RADIUS" for User-Name = "a...@radius"
rlm_realm: No such realm "RADIUS"
I think you need to either define a DEFAULT realm or define the RADIUS
realm in proxy.conf
Either:
RADIUS {
}
Or:
DEFAULT {
}
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Free Radius users record samples for SmartEdgerouter subcriberauthentication.
> Now the subscriber config on Radius is as follows:
>
> a...@radius Cleartext-Password := "test"
> Service-Type = Framed-User,
> Framed-Protocol = PPP
Are you sure you are changing the correct users file? I don't see this
entry in the debug. Do you know what server version you are using? Do
radiusd -v if you don't. This debug looks older than 1.1.4.
>>From redius debug:
> rad_recv: Access-Request packet from host 10.205.1.1:1812, id=3,
> length=187
> User-Name = "a...@radius"
> User-Password = "test"
> Service-Type = Framed-User
> Framed-Protocol = PPP
> NAS-Identifier = "Quiet"
> NAS-Port = 167903232
> NAS-Real-Port = 2717909092
> NAS-Port-Type = Virtual
> NAS-Port-Id = "10/2 vlan-id 100 pppoe 347"
> Medium-Type = DSL
> Mac-Addr = "00-0c-29-10-12-c3"
> Platform-Type = SmartEdge-800
> OS-Version = "6.1.2.6p9"
> Processing the authorize section of radiusd.conf
> modcall: entering group authorize for request 0
> modcall[authorize]: module "preprocess" returns ok for request 0
> radius_xlat:
> '/usr/local/var/log/radius/radacct/10.205.1.1/auth-detail-20090616'
> rlm_detail:
> /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%
> d expands to
> /usr/local/var/log/radius/radacct/10.205.1.1/auth-detail-20090616
> modcall[authorize]: module "auth_log" returns ok for request 0
> modcall[authorize]: module "chap" returns noop for request 0
> modcall[authorize]: module "mschap" returns noop for request 0
> rlm_realm: Looking up realm "RADIUS" for User-Name = "a...@radius"
> rlm_realm: No such realm "RADIUS"
> modcall[authorize]: module "suffix" returns noop for request 0
> rlm_eap: No EAP-Message, not doing EAP
> modcall[authorize]: module "eap" returns noop for request 0
> users: Matched entry DEFAULT at line 152
> users: Matched entry DEFAULT at line 171
> users: Matched entry DEFAULT at line 183
One of these sets Auth-Type System. Comment it out.
> modcall[authorize]: module "files" returns ok for request 0
> modcall: leaving group authorize (returns ok) for request 0
> rad_check_password: Found Auth-Type System
> auth: type "System"
> Processing the authenticate section of radiusd.conf
> modcall: entering group authenticate for request 0
> modcall[authenticate]: module "unix" returns notfound for request 0
> modcall: leaving group authenticate (returns notfound) for request 0
> auth: Failed to validate the user.
> Login incorrect: [...@radius/test] (from client SE-Quiet port 167903232)
> Delaying request 0 for 1 seconds
> Finished request 0
>
> Unfortunately, the login is still failing with no obvious reason why.
Because default entry in users file sets Auth-Type to System. It was like
that by default in old versions. If your version in pre 1.1.4 you will
need to force Auth-Type. Probably to Local. But let's see the version
first.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Free Radius users record samples for SmartEdgerouter subcriberauthentication.
Ok, I have removed encrypted-key in Redback router which was causing
issue about shared secrets.
Now the subscriber config on Radius is as follows:
a...@radius Cleartext-Password := "test"
Service-Type = Framed-User,
Framed-Protocol = PPP
>From redius debug:
rad_recv: Access-Request packet from host 10.205.1.1:1812, id=3,
length=187
User-Name = "a...@radius"
User-Password = "test"
Service-Type = Framed-User
Framed-Protocol = PPP
NAS-Identifier = "Quiet"
NAS-Port = 167903232
NAS-Real-Port = 2717909092
NAS-Port-Type = Virtual
NAS-Port-Id = "10/2 vlan-id 100 pppoe 347"
Medium-Type = DSL
Mac-Addr = "00-0c-29-10-12-c3"
Platform-Type = SmartEdge-800
OS-Version = "6.1.2.6p9"
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
radius_xlat:
'/usr/local/var/log/radius/radacct/10.205.1.1/auth-detail-20090616'
rlm_detail:
/usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%
d expands to
/usr/local/var/log/radius/radacct/10.205.1.1/auth-detail-20090616
modcall[authorize]: module "auth_log" returns ok for request 0
modcall[authorize]: module "chap" returns noop for request 0
modcall[authorize]: module "mschap" returns noop for request 0
rlm_realm: Looking up realm "RADIUS" for User-Name = "a...@radius"
rlm_realm: No such realm "RADIUS"
modcall[authorize]: module "suffix" returns noop for request 0
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module "eap" returns noop for request 0
users: Matched entry DEFAULT at line 152
users: Matched entry DEFAULT at line 171
users: Matched entry DEFAULT at line 183
modcall[authorize]: module "files" returns ok for request 0
modcall: leaving group authorize (returns ok) for request 0
rad_check_password: Found Auth-Type System
auth: type "System"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 0
modcall[authenticate]: module "unix" returns notfound for request 0
modcall: leaving group authenticate (returns notfound) for request 0
auth: Failed to validate the user.
Login incorrect: [...@radius/test] (from client SE-Quiet port 167903232)
Delaying request 0 for 1 seconds
Finished request 0
Unfortunately, the login is still failing with no obvious reason why.
Any thoughts ?
Thanks,
Elias
-Original Message-
From:
freeradius-users-bounces+elias.abou.zeid=ericsson....@lists.freeradius.o
rg
[mailto:freeradius-users-bounces+elias.abou.zeid=ericsson@lists.free
radius.org] On Behalf Of Alan DeKok
Sent: June-16-09 3:50 PM
To: FreeRadius users mailing list
Subject: Re: Free Radius users record samples for SmartEdgerouter
subcriberauthentication.
Elias Abou Zeid wrote:
> Sorry for the :=, == confusion. I was doing it right using ==.
No, using == is wrong.
> So now I have:
>
> a...@radius User-Password == "test"
That's wrong.
> Now after enabling the radius -X, I get:
...
> WARNING: Unprintable characters in the password. ? Double-check the
> shared secret on the server and the NAS!
>
> So it seems the password radius is receiving is different that what I
> am giving. I checked the shared secret between server and NAS, it
matches!
> I am not sure why ?
The shared secrets do NOT match. This is in the FAQ. Don't check
them. Re-enter them.
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
