RE: [rad] RE: Free Radius users record samples for SmartEdgerouter subcriberauthentication.
Hi Ivan, I used the following user record: a...@radius User-Password == "test" Service-Type = Framed-User, Framed-Protocol = PPP And I sent a CHAP request, authentication still work. rad_recv: Access-Request packet from host 10.205.1.1:1812, id=212, length=188 User-Name = "a...@radius" CHAP-Password = 0x01fb483b2d567fd0e128500a3ce0980d0b Service-Type = Framed-User Framed-Protocol = PPP NAS-Identifier = "Quiet" NAS-Port = 167903232 NAS-Real-Port = 2717909092 NAS-Port-Type = Virtual NAS-Port-Id = "10/2 vlan-id 100 pppoe 372" Medium-Type = DSL Mac-Addr = "00-0c-29-10-12-c3" Platform-Type = SmartEdge-800 OS-Version = "6.1.2.6p9" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 radius_xlat: '/usr/local/var/log/radius/radacct/10.205.1.1/auth-detail-20090617' rlm_detail: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m% d expands to /usr/local/var/log/radius/radacct/10.205.1.1/auth-detail-20090617 modcall[authorize]: module "auth_log" returns ok for request 0 rlm_chap: Setting 'Auth-Type := CHAP' modcall[authorize]: module "chap" returns ok for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: Looking up realm "RADIUS" for User-Name = "a...@radius" rlm_realm: No such realm "RADIUS" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 0 users: Matched entry a...@radius at line 148 modcall[authorize]: module "files" returns ok for request 0 modcall: leaving group authorize (returns ok) for request 0 rad_check_password: Found Auth-Type CHAP auth: type "CHAP" Processing the authenticate section of radiusd.conf modcall: entering group CHAP for request 0 rlm_chap: login attempt by "a...@radius" with CHAP password rlm_chap: Using clear text password "test" for user a...@radius authentication. rlm_chap: chap user a...@radius authenticated succesfully modcall[authenticate]: module "chap" returns ok for request 0 modcall: leaving group CHAP (returns ok) for request 0 Login OK: [...@radius/] (from client SE-Quiet port 167903232) Processing the post-auth section of radiusd.conf modcall: entering group post-auth for request 0 rlm_ippool: Could not find Pool-Name attribute. modcall[post-auth]: module "main_pool" returns noop for request 0 radius_xlat: '/usr/local/var/log/radius/radacct/10.205.1.1/reply-detail-20090617' rlm_detail: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m %d expands to /usr/local/var/log/radius/radacct/10.205.1.1/reply-detail-20090617 modcall[post-auth]: module "reply_log" returns ok for request 0 modcall: leaving group post-auth (returns ok) for request 0 Sending Access-Accept of id 212 to 10.205.1.1 port 1812 Service-Type = Framed-User Framed-Protocol = PPP Finished request 0 -Original Message- From: freeradius-users-bounces+elias.abou.zeid=ericsson....@lists.freeradius.o rg [mailto:freeradius-users-bounces+elias.abou.zeid=ericsson@lists.free radius.org] On Behalf Of Ivan Kalik Sent: June-17-09 11:02 AM To: FreeRadius users mailing list Subject: RE: [rad] RE: Free Radius users record samples for SmartEdgerouter subcriberauthentication. > Just out for sake of completeness. On FreeRADIUS Version 1.1.7 > > I tried both User-Password == "test" and Cleartext-Password := "test". > > They both work fine when the user entry is before default setting in > users file. For a pap request. Try sending chap or mschap request and see what happens. Cleartext-Password will work with all cases, User-Password won't. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [rad] RE: Free Radius users record samples for SmartEdgerouter subcriberauthentication.
On Wed, 17 Jun 2009, Elias Abou Zeid wrote: Just out for sake of completeness. On FreeRADIUS Version 1.1.7 I tried both User-Password == "test" and Cleartext-Password := "test". They both work fine when the user entry is before default setting in users file. Just to let you know. Elias Thank you, Elias. - Charles - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: [rad] RE: Free Radius users record samples for SmartEdgerouter subcriberauthentication.
> Just out for sake of completeness. On FreeRADIUS Version 1.1.7 > > I tried both User-Password == "test" and Cleartext-Password := "test". > > They both work fine when the user entry is before default setting in > users file. For a pap request. Try sending chap or mschap request and see what happens. Cleartext-Password will work with all cases, User-Password won't. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [rad] RE: Free Radius users record samples for SmartEdgerouter subcriberauthentication.
Elias Abou Zeid wrote: > Just out for sake of completeness. On FreeRADIUS Version 1.1.7 > > I tried both User-Password == "test" and Cleartext-Password := "test". > > They both work fine when the user entry is before default setting in > users file. Yes. Because *old* versions of the server accepted 'User-Password ==', and not 'Cleartext-Password :='. We try to keep compatibility between versions of the server. Even with that, 'User-Password ==' is wrong. It's been wrong for nearly three years now. Any blog, web page, "howto", etc. that suggests it is wrong, and is out of date. At some point, that backwards compatibility will be removed. Any systems still using "User-Password ==" will then *break*. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: [rad] RE: Free Radius users record samples for SmartEdgerouter subcriberauthentication.
Hi, Just out for sake of completeness. On FreeRADIUS Version 1.1.7 I tried both User-Password == "test" and Cleartext-Password := "test". They both work fine when the user entry is before default setting in users file. Just to let you know. Elias -Original Message- From: freeradius-users-bounces+elias.abou.zeid=ericsson@lists.freeradius.o rg [mailto:freeradius-users-bounces+elias.abou.zeid=ericsson@lists.free radius.org] On Behalf Of a.l.m.bu...@lboro.ac.uk Sent: June-17-09 4:09 AM To: FreeRadius users mailing list Subject: Re: [rad] RE: Free Radius users record samples for SmartEdgerouter subcriberauthentication. Hi, > I still suggest: > >> abcUser-Password == "test" that is wrong. wrong and wrong Elias, please put your entry at the top of the users file - or remove the DEFAULT Auth-Type == System from your config (this forces the server to always use 'system' auth - which you really dont want) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: [rad] RE: Free Radius users record samples for SmartEdgerouter subcriberauthentication.
Alan, It worked after I put my user entry before DEFAULT Auth-Type == System. Thanks for your help, Elias -Original Message- From: freeradius-users-bounces+elias.abou.zeid=ericsson@lists.freeradius.o rg [mailto:freeradius-users-bounces+elias.abou.zeid=ericsson@lists.free radius.org] On Behalf Of a.l.m.bu...@lboro.ac.uk Sent: June-17-09 4:09 AM To: FreeRadius users mailing list Subject: Re: [rad] RE: Free Radius users record samples for SmartEdgerouter subcriberauthentication. Hi, > I still suggest: > >> abcUser-Password == "test" that is wrong. wrong and wrong Elias, please put your entry at the top of the users file - or remove the DEFAULT Auth-Type == System from your config (this forces the server to always use 'system' auth - which you really dont want) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Free Radius users record samples for SmartEdgerouter subcriberauthentication.
Elias Abou Zeid wrote: > The version info is: > radiusd: FreeRADIUS Version 1.1.7, for host sparc-sun-solaris2.10, built > on Jan 8 2008 at 00:54:01 > Copyright (C) 2000-2007 The FreeRADIUS server project. So the suggestions should work. > I added in users: Auth-Type := Local, Do NOT do that. See the FAQ for other examples of adding a default user. Your entry should go at the TOP of the "users" file. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [rad] RE: Free Radius users record samples for SmartEdgerouter subcriberauthentication.
On Tue, 16 Jun 2009, Elias Abou Zeid wrote: a...@radius Cleartext-Password := "test" Service-Type = Framed-User, Framed-Protocol = PPP Why do you specify a realm (@RADIUS)? Try removing it, or, as suggested by others, specift a default realm. users: Matched entry DEFAULT at line 152 users: Matched entry DEFAULT at line 171 users: Matched entry DEFAULT at line 183 These lines tell us that you have more rules in your users file than the one you list above. Taken at face value, looks like two rules with 'fall through' followed by one without. And it never gets to the rule for 'abc'. Remember that radius looks for the first matching rule in your users file. DEFAULT rules should go at the bottom. - Charles - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Free Radius users record samples for SmartEdgerouter subcriberauthentication.
Hi Ivan, The version info is: radiusd: FreeRADIUS Version 1.1.7, for host sparc-sun-solaris2.10, built on Jan 8 2008 at 00:54:01 Copyright (C) 2000-2007 The FreeRADIUS server project. I added in users: Auth-Type := Local, But still same debug result: Ready to process requests. rad_recv: Access-Request packet from host 10.205.1.1:1812, id=4, length=187 User-Name = "a...@radius" User-Password = "test" Service-Type = Framed-User Framed-Protocol = PPP NAS-Identifier = "Quiet" NAS-Port = 167903232 NAS-Real-Port = 2717909092 NAS-Port-Type = Virtual NAS-Port-Id = "10/2 vlan-id 100 pppoe 348" Medium-Type = DSL Mac-Addr = "00-0c-29-10-12-c3" Platform-Type = SmartEdge-800 OS-Version = "6.1.2.6p9" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 radius_xlat: '/usr/local/var/log/radius/radacct/10.205.1.1/auth-detail-20090616' rlm_detail: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m% d expands to /usr/local/var/log/radius/radacct/10.205.1.1/auth-detail-20090616 modcall[authorize]: module "auth_log" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: Looking up realm "RADIUS" for User-Name = "a...@radius" rlm_realm: No such realm "RADIUS" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 0 users: Matched entry DEFAULT at line 152 users: Matched entry DEFAULT at line 171 users: Matched entry DEFAULT at line 183 modcall[authorize]: module "files" returns ok for request 0 modcall: leaving group authorize (returns ok) for request 0 rad_check_password: Found Auth-Type System auth: type "System" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 modcall[authenticate]: module "unix" returns notfound for request 0 modcall: leaving group authenticate (returns notfound) for request 0 auth: Failed to validate the user. Login incorrect: [...@radius/test] (from client SE-Quiet port 167903232) Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 4 to 10.205.1.1 port 1812 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 4 with timestamp 4a380fa8 Nothing to do. Sleeping until we see a request. Any other ideas ? BR, Elias -Original Message- From: freeradius-users-bounces+elias.abou.zeid=ericsson@lists.freeradius.o rg [mailto:freeradius-users-bounces+elias.abou.zeid=ericsson@lists.free radius.org] On Behalf Of Ivan Kalik Sent: June-16-09 5:28 PM To: FreeRadius users mailing list Subject: RE: Free Radius users record samples for SmartEdgerouter subcriberauthentication. > Now the subscriber config on Radius is as follows: > > a...@radius Cleartext-Password := "test" > Service-Type = Framed-User, > Framed-Protocol = PPP Are you sure you are changing the correct users file? I don't see this entry in the debug. Do you know what server version you are using? Do radiusd -v if you don't. This debug looks older than 1.1.4. >>From redius debug: > rad_recv: Access-Request packet from host 10.205.1.1:1812, id=3, > length=187 > User-Name = "a...@radius" > User-Password = "test" > Service-Type = Framed-User > Framed-Protocol = PPP > NAS-Identifier = "Quiet" > NAS-Port = 167903232 > NAS-Real-Port = 2717909092 > NAS-Port-Type = Virtual > NAS-Port-Id = "10/2 vlan-id 100 pppoe 347" > Medium-Type = DSL > Mac-Addr = "00-0c-29-10-12-c3" > Platform-Type = SmartEdge-800 > OS-Version = "6.1.2.6p9" > Processing the authorize section of radiusd.conf > modcall: entering group authorize for request 0 > modcall[authorize]: module "preprocess" returns ok for request 0 > radius_xlat: > '/usr/local/var/log/radius/radacct/10.205.1.1/auth-detail-20090616' > rlm_detail: > /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y% > m% > d expands to > /usr/local/var/log/radius/radacct/10.205.1.1/aut
Re: Free Radius users record samples for SmartEdgerouter subcriberauthentication.
On Jun 16, 2009, at 1:37 PM, Elias Abou Zeid wrote: Ok, I have removed encrypted-key in Redback router which was causing issue about shared secrets. Now the subscriber config on Radius is as follows: a...@radius Cleartext-Password := "test" Service-Type = Framed-User, Framed-Protocol = PPP From redius debug: rlm_realm: Looking up realm "RADIUS" for User-Name = "a...@radius" rlm_realm: No such realm "RADIUS" I think you need to either define a DEFAULT realm or define the RADIUS realm in proxy.conf Either: RADIUS { } Or: DEFAULT { } - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Free Radius users record samples for SmartEdgerouter subcriberauthentication.
> Now the subscriber config on Radius is as follows: > > a...@radius Cleartext-Password := "test" > Service-Type = Framed-User, > Framed-Protocol = PPP Are you sure you are changing the correct users file? I don't see this entry in the debug. Do you know what server version you are using? Do radiusd -v if you don't. This debug looks older than 1.1.4. >>From redius debug: > rad_recv: Access-Request packet from host 10.205.1.1:1812, id=3, > length=187 > User-Name = "a...@radius" > User-Password = "test" > Service-Type = Framed-User > Framed-Protocol = PPP > NAS-Identifier = "Quiet" > NAS-Port = 167903232 > NAS-Real-Port = 2717909092 > NAS-Port-Type = Virtual > NAS-Port-Id = "10/2 vlan-id 100 pppoe 347" > Medium-Type = DSL > Mac-Addr = "00-0c-29-10-12-c3" > Platform-Type = SmartEdge-800 > OS-Version = "6.1.2.6p9" > Processing the authorize section of radiusd.conf > modcall: entering group authorize for request 0 > modcall[authorize]: module "preprocess" returns ok for request 0 > radius_xlat: > '/usr/local/var/log/radius/radacct/10.205.1.1/auth-detail-20090616' > rlm_detail: > /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m% > d expands to > /usr/local/var/log/radius/radacct/10.205.1.1/auth-detail-20090616 > modcall[authorize]: module "auth_log" returns ok for request 0 > modcall[authorize]: module "chap" returns noop for request 0 > modcall[authorize]: module "mschap" returns noop for request 0 > rlm_realm: Looking up realm "RADIUS" for User-Name = "a...@radius" > rlm_realm: No such realm "RADIUS" > modcall[authorize]: module "suffix" returns noop for request 0 > rlm_eap: No EAP-Message, not doing EAP > modcall[authorize]: module "eap" returns noop for request 0 > users: Matched entry DEFAULT at line 152 > users: Matched entry DEFAULT at line 171 > users: Matched entry DEFAULT at line 183 One of these sets Auth-Type System. Comment it out. > modcall[authorize]: module "files" returns ok for request 0 > modcall: leaving group authorize (returns ok) for request 0 > rad_check_password: Found Auth-Type System > auth: type "System" > Processing the authenticate section of radiusd.conf > modcall: entering group authenticate for request 0 > modcall[authenticate]: module "unix" returns notfound for request 0 > modcall: leaving group authenticate (returns notfound) for request 0 > auth: Failed to validate the user. > Login incorrect: [...@radius/test] (from client SE-Quiet port 167903232) > Delaying request 0 for 1 seconds > Finished request 0 > > Unfortunately, the login is still failing with no obvious reason why. Because default entry in users file sets Auth-Type to System. It was like that by default in old versions. If your version in pre 1.1.4 you will need to force Auth-Type. Probably to Local. But let's see the version first. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Free Radius users record samples for SmartEdgerouter subcriberauthentication.
Ok, I have removed encrypted-key in Redback router which was causing issue about shared secrets. Now the subscriber config on Radius is as follows: a...@radius Cleartext-Password := "test" Service-Type = Framed-User, Framed-Protocol = PPP >From redius debug: rad_recv: Access-Request packet from host 10.205.1.1:1812, id=3, length=187 User-Name = "a...@radius" User-Password = "test" Service-Type = Framed-User Framed-Protocol = PPP NAS-Identifier = "Quiet" NAS-Port = 167903232 NAS-Real-Port = 2717909092 NAS-Port-Type = Virtual NAS-Port-Id = "10/2 vlan-id 100 pppoe 347" Medium-Type = DSL Mac-Addr = "00-0c-29-10-12-c3" Platform-Type = SmartEdge-800 OS-Version = "6.1.2.6p9" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 radius_xlat: '/usr/local/var/log/radius/radacct/10.205.1.1/auth-detail-20090616' rlm_detail: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m% d expands to /usr/local/var/log/radius/radacct/10.205.1.1/auth-detail-20090616 modcall[authorize]: module "auth_log" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: Looking up realm "RADIUS" for User-Name = "a...@radius" rlm_realm: No such realm "RADIUS" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 0 users: Matched entry DEFAULT at line 152 users: Matched entry DEFAULT at line 171 users: Matched entry DEFAULT at line 183 modcall[authorize]: module "files" returns ok for request 0 modcall: leaving group authorize (returns ok) for request 0 rad_check_password: Found Auth-Type System auth: type "System" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 modcall[authenticate]: module "unix" returns notfound for request 0 modcall: leaving group authenticate (returns notfound) for request 0 auth: Failed to validate the user. Login incorrect: [...@radius/test] (from client SE-Quiet port 167903232) Delaying request 0 for 1 seconds Finished request 0 Unfortunately, the login is still failing with no obvious reason why. Any thoughts ? Thanks, Elias -Original Message- From: freeradius-users-bounces+elias.abou.zeid=ericsson....@lists.freeradius.o rg [mailto:freeradius-users-bounces+elias.abou.zeid=ericsson@lists.free radius.org] On Behalf Of Alan DeKok Sent: June-16-09 3:50 PM To: FreeRadius users mailing list Subject: Re: Free Radius users record samples for SmartEdgerouter subcriberauthentication. Elias Abou Zeid wrote: > Sorry for the :=, == confusion. I was doing it right using ==. No, using == is wrong. > So now I have: > > a...@radius User-Password == "test" That's wrong. > Now after enabling the radius -X, I get: ... > WARNING: Unprintable characters in the password. ? Double-check the > shared secret on the server and the NAS! > > So it seems the password radius is receiving is different that what I > am giving. I checked the shared secret between server and NAS, it matches! > I am not sure why ? The shared secrets do NOT match. This is in the FAQ. Don't check them. Re-enter them. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html