Re: newbie - authentication error
Hi, Hi all, I'd like to tetst my radius conf with a basic setting. really? looks from the log you posted that you've massively edited the provided config files. why? you've just broken the server. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: newbie - authentication error
Ivan Kalik a écrit :
Post the output from radiusd -X.
here it is :
FreeRADIUS Version 2.0.4, for host i486-pc-linux-gnu, built on May 11
2008 at 18:46:28
Copyright (C) 1999-2008 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License.
Starting - reading configuration files ...
including configuration file /etc/freeradius/radiusd.conf
including configuration file /etc/freeradius/proxy.conf
including configuration file /etc/freeradius/clients.conf
including configuration file /etc/freeradius/snmp.conf
including configuration file /etc/freeradius/eap.conf
including configuration file /etc/freeradius/policy.conf
including files in directory /etc/freeradius/sites-enabled/
including dictionary file /etc/freeradius/dictionary
main {
prefix = /usr
localstatedir = /var
logdir = /var/log/freeradius
libdir = /usr/lib/freeradius
radacctdir = /var/log/freeradius/radacct
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
allow_core_dumps = no
pidfile = /var/run/freeradius/freeradius.pid
user = freerad
group = freerad
checkrad = /usr/sbin/checkrad
debug_level = 0
proxy_requests = yes
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
}
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = testing123
nastype = other
}
radiusd: Loading Realms and Home Servers
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = auth
secret = testing123
response_window = 20
max_outstanding = 65536
zombie_period = 40
status_check = status-server
ping_check = none
ping_interval = 30
check_interval = 30
num_answers_to_alive = 3
num_pings_to_alive = 3
revive_interval = 120
status_check_timeout = 4
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm LOCAL {
}
radiusd: Instantiating modules
instantiate {
Module: Linked to module rlm_exec
Module: Instantiating exec
exec {
wait = yes
input_pairs = request
shell_escape = yes
}
Module: Linked to module rlm_expr
Module: Instantiating expr
Module: Linked to module rlm_expiration
Module: Instantiating expiration
expiration {
reply-message = Password Has Expired
}
Module: Linked to module rlm_logintime
Module: Instantiating logintime
logintime {
reply-message = You are calling outside your allowed timespan
minimum-timeout = 60
}
}
radiusd: Loading Virtual Servers
server {
modules {
}
}
radiusd: Opening IP addresses and Ports
listen {
type = auth
ipaddr = *
port = 0
}
listen {
type = acct
ipaddr = *
port = 0
}
main {
snmp = no
smux_password =
snmp_write_access = no
}
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1 port 57784, id=236,
length=59
User-Name = testuser
User-Password = testpasswd
NAS-IP-Address = x.x.x.x
NAS-Port = 1812
auth: No authenticate method (Auth-Type) configuration found for the
request: Rejecting the user
auth: Failed to validate the user.
Login incorrect: [testuser/testpasswd] (from client localhost port 1812)
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 236 to 127.0.0.1 port 57784
Waking up in 4.9 seconds.
N F
Ivan Kalik
Kalik informatika ISP
Dana 28/5/2008, pkc_mls [EMAIL PROTECTED] piše:
Hi all,
I'd like to tetst my radius conf with a basic setting.
I'm running freeradius-2.0.4-2 on linux debian.
my client.conf contains the following :
client localhost {
ipaddr = 127.0.0.1
secret = testing123
nastype=other
}
I still don't know which kind of parametre I have to set in my
/etc/freeradius/users file
to allow my radtest to work.
all my tests with cleartext-password, user-password, aht-type, and := =,
==, leads to the same
error message :
rad_recv: Access-Request packet from host 127.0.0.1 port 57756, id=178,
length=59
User-Name = testuser
User-Password = testpasswd
NAS-IP-Address = x.x.x.x
NAS-Port = 1812
Wed May 28 11:41:06 2008 : Debug: auth: No authenticate method
(Auth-Type) configuration found for the request: Rejecting the user
next step, how to set up the users file so my local unix users can also
be authenticated via radius ?
thanks
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: newbie - authentication error
Post the output from radiusd -X.
Ivan Kalik
Kalik informatika ISP
Dana 28/5/2008, pkc_mls [EMAIL PROTECTED] piše:
Hi all,
I'd like to tetst my radius conf with a basic setting.
I'm running freeradius-2.0.4-2 on linux debian.
my client.conf contains the following :
client localhost {
ipaddr = 127.0.0.1
secret = testing123
nastype=other
}
I still don't know which kind of parametre I have to set in my
/etc/freeradius/users file
to allow my radtest to work.
all my tests with cleartext-password, user-password, aht-type, and := =,
==, leads to the same
error message :
rad_recv: Access-Request packet from host 127.0.0.1 port 57756, id=178,
length=59
User-Name = testuser
User-Password = testpasswd
NAS-IP-Address = x.x.x.x
NAS-Port = 1812
Wed May 28 11:41:06 2008 : Debug: auth: No authenticate method
(Auth-Type) configuration found for the request: Rejecting the user
next step, how to set up the users file so my local unix users can also
be authenticated via radius ?
thanks
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: newbie - authentication error
[EMAIL PROTECTED] a écrit : Hi, Hi all, I'd like to tetst my radius conf with a basic setting. really? looks from the log you posted that you've massively edited the provided config files. why? you've just broken the server. ok, that means I have to remove the package and reinstall it. should I then test with a user already created on the system, or shall I create a new one in the users file ? the auth-type cannot be explicitely added to the arguments of the radtest, that's why I tried to set up in many different ways the users file. alan - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: newbie - authentication error
Default configuration works - there is no need to change it. You have instructions in FAQ or users file about making simplest user entries. You don't need to set Auth-Type - server does this on it's own. Ivan Kalik Kalik Informatika ISP Dana 28/5/2008, pkc_mls [EMAIL PROTECTED] piše: [EMAIL PROTECTED] a écrit : Hi, Hi all, I'd like to tetst my radius conf with a basic setting. really? looks from the log you posted that you've massively edited the provided config files. why? you've just broken the server. ok, that means I have to remove the package and reinstall it. should I then test with a user already created on the system, or shall I create a new one in the users file ? the auth-type cannot be explicitely added to the arguments of the radtest, that's why I tried to set up in many different ways the users file. alan - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: newbie - authentication error
Where is the output from the debug (radiusd -X)? Ivan Kalik Kalik Informatika ISP Dana 28/5/2008, pkc_mls [EMAIL PROTECTED] piše: Ivan Kalik a écrit : Default configuration works - there is no need to change it. You have instructions in FAQ or users file about making simplest user entries. You don't need to set Auth-Type - server does this on it's own. I just removed the debian packages, removes the /var/log/radius and /etc/freeradius, did an apt-get install again, then followed the first step described in http://deployingradius.com/documents/configuration/pap.html, ie place the following text http://deployingradius.com/scripts/raddb/users/pap.txt at the *top* of the /users/ file: bob Cleartext-Password := hello then started the freeradius with a -X option : freeradius -X. radtest bob hello localhost 0 testing123 Sending Access-Request of id 189 to 127.0.0.1 port 1812 User-Name = bob User-Password = hello NAS-IP-Address = x.x.x.x NAS-Port = 0 rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=189, length=20 it looks like I choosed the wrong FAQ. the line added to the /etc/freeradius/users was the only modification I did to the users file. anyway, I'll test on another host, to see if it works better. Ivan Kalik Kalik Informatika ISP Dana 28/5/2008, pkc_mls [EMAIL PROTECTED] piše: [EMAIL PROTECTED] a écrit : Hi, Hi all, I'd like to tetst my radius conf with a basic setting. really? looks from the log you posted that you've massively edited the provided config files. why? you've just broken the server. ok, that means I have to remove the package and reinstall it. should I then test with a user already created on the system, or shall I create a new one in the users file ? the auth-type cannot be explicitely added to the arguments of the radtest, that's why I tried to set up in many different ways the users file. alan - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/usershtml - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: newbie - authentication error
Ivan Kalik a écrit : Default configuration works - there is no need to change it. You have instructions in FAQ or users file about making simplest user entries. You don't need to set Auth-Type - server does this on it's own. I just removed the debian packages, removes the /var/log/radius and /etc/freeradius, did an apt-get install again, then followed the first step described in http://deployingradius.com/documents/configuration/pap.html, ie place the following text http://deployingradius.com/scripts/raddb/users/pap.txt at the *top* of the /users/ file: bob Cleartext-Password := hello then started the freeradius with a -X option : freeradius -X. radtest bob hello localhost 0 testing123 Sending Access-Request of id 189 to 127.0.0.1 port 1812 User-Name = bob User-Password = hello NAS-IP-Address = x.x.x.x NAS-Port = 0 rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=189, length=20 it looks like I choosed the wrong FAQ. the line added to the /etc/freeradius/users was the only modification I did to the users file. anyway, I'll test on another host, to see if it works better. Ivan Kalik Kalik Informatika ISP Dana 28/5/2008, pkc_mls [EMAIL PROTECTED] piše: [EMAIL PROTECTED] a écrit : Hi, Hi all, I'd like to tetst my radius conf with a basic setting. really? looks from the log you posted that you've massively edited the provided config files. why? you've just broken the server. ok, that means I have to remove the package and reinstall it. should I then test with a user already created on the system, or shall I create a new one in the users file ? the auth-type cannot be explicitely added to the arguments of the radtest, that's why I tried to set up in many different ways the users file. alan - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: newbie - authentication error
Ivan Kalik a écrit :
Where is the output from the debug (radiusd -X)?
here it is :
freeradius -X
FreeRADIUS Version 2.0.4, for host i486-pc-linux-gnu, built on May 11
2008 at 18:46:28
Copyright (C) 1999-2008 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License.
Starting - reading configuration files ...
including configuration file /etc/freeradius/radiusd.conf
including configuration file /etc/freeradius/proxy.conf
including configuration file /etc/freeradius/clients.conf
including configuration file /etc/freeradius/snmp.conf
including configuration file /etc/freeradius/eap.conf
including configuration file /etc/freeradius/policy.conf
including files in directory /etc/freeradius/sites-enabled/
including dictionary file /etc/freeradius/dictionary
main {
prefix = /usr
localstatedir = /var
logdir = /var/log/freeradius
libdir = /usr/lib/freeradius
radacctdir = /var/log/freeradius/radacct
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
allow_core_dumps = no
pidfile = /var/run/freeradius/freeradius.pid
user = freerad
group = freerad
checkrad = /usr/sbin/checkrad
debug_level = 0
proxy_requests = yes
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
}
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = testing123
nastype = other
}
radiusd: Loading Realms and Home Servers
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = auth
secret = testing123
response_window = 20
max_outstanding = 65536
zombie_period = 40
status_check = status-server
ping_check = none
ping_interval = 30
check_interval = 30
num_answers_to_alive = 3
num_pings_to_alive = 3
revive_interval = 120
status_check_timeout = 4
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm LOCAL {
}
radiusd: Instantiating modules
instantiate {
Module: Linked to module rlm_exec
Module: Instantiating exec
exec {
wait = yes
input_pairs = request
shell_escape = yes
}
Module: Linked to module rlm_expr
Module: Instantiating expr
Module: Linked to module rlm_expiration
Module: Instantiating expiration
expiration {
reply-message = Password Has Expired
}
Module: Linked to module rlm_logintime
Module: Instantiating logintime
logintime {
reply-message = You are calling outside your allowed timespan
minimum-timeout = 60
}
}
radiusd: Loading Virtual Servers
server {
modules {
}
}
radiusd: Opening IP addresses and Ports
listen {
type = auth
ipaddr = *
port = 0
}
listen {
type = acct
ipaddr = *
port = 0
}
main {
snmp = no
smux_password =
snmp_write_access = no
}
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1 port 32780, id=45,
length=55
User-Name = bob
User-Password = hello
NAS-IP-Address = 127.0.1.1
NAS-Port = 0
auth: No authenticate method (Auth-Type) configuration found for the
request: Rejecting the user
auth: Failed to validate the user.
Login incorrect: [bob/hello] (from client localhost port 0)
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 45 to 127.0.0.1 port 32780
Waking up in 4.9 seconds.
Cleaning up request 0 ID 45 with timestamp +8
Ready to process requests.
thanks for your time and patience.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: newbie - authentication error
Hi, here it is : freeradius -X okay. so you didnt edit the config - the package maintainers have edited it in weird ways and broken in. can you please post your radiusd.conf and sites-enabled/default alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: newbie - authentication error
[EMAIL PROTECTED] a écrit :
Hi,
here it is :
freeradius -X
okay. so you didnt edit the config - the package maintainers
have edited it in weird ways and broken in.
can you please post your radiusd.conf and sites-enabled/default
there is no sites-enabled/default file. the default is only in the
sites-available directory.
please find below the radiusd.conf.
I removed the comments, but I can also send the complete file if needed.
prefix = /usr
exec_prefix = /usr
sysconfdir = /etc
localstatedir = /var
sbindir = ${exec_prefix}/sbin
logdir = /var/log/freeradius
raddbdir = /etc/freeradius
radacctdir = ${logdir}/radacct
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/freeradius
db_dir = $(raddbdir)
libdir = /usr/lib/freeradius
pidfile = ${run_dir}/freeradius.pid
user = freerad
group = freerad
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
listen {
type = auth
ipaddr = *
port = 0
}
listen {
ipaddr = *
port = 0
type = acct
}
hostname_lookups = no
allow_core_dumps = no
regular_expressions= yes
extended_expressions= yes
log {
destination = files
file = ${logdir}/radius.log
syslog_facility = daemon
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
}
checkrad = ${sbindir}/checkrad
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
proxy_requests = yes
$INCLUDE proxy.conf
$INCLUDE clients.conf
snmp= no
$INCLUDE snmp.conf
thread pool {
start_servers = 5
max_servers = 32
min_spare_servers = 3
max_spare_servers = 10
max_requests_per_server = 0
}
modules {
pap {
auto_header = no
}
chap {
authtype = CHAP
}
pam {
pam_auth = radiusd
}
unix {
radwtmp = ${logdir}/radwtmp
}
$INCLUDE eap.conf
mschap {
}
ldap {
server = ldap.your.domain
basedn = o=My Org,c=UA
filter = (uid=%{Stripped-User-Name:-%{User-Name}})
ldap_connections_number = 5
timeout = 4
timelimit = 3
net_timeout = 1
tls {
start_tls = no
}
dictionary_mapping = ${confdir}/ldap.attrmap
edir_account_policy_check = no
}
realm IPASS {
format = prefix
delimiter = /
}
realm suffix {
format = suffix
delimiter = @
}
realm realmpercent {
format = suffix
delimiter = %
}
realm ntdomain {
format = prefix
delimiter = \\
}
checkval {
item-name = Calling-Station-Id
check-name = Calling-Station-Id
data-type = string
}
preprocess {
huntgroups = ${confdir}/huntgroups
hints = ${confdir}/hints
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
}
files {
usersfile = ${confdir}/users
acctusersfile = ${confdir}/acct_users
preproxy_usersfile = ${confdir}/preproxy_users
compat = no
}
detail {
detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d
detailperm = 0600
header = %t
}
acct_unique {
key = User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port
}
radutmp {
filename = ${logdir}/radutmp
username = %{User-Name}
case_sensitive = yes
check_with_nas = yes
perm = 0600
callerid = yes
}
radutmp sradutmp {
filename = ${logdir}/sradutmp
perm = 0644
callerid = no
}
attr_filter attr_filter.post-proxy {
attrsfile = ${confdir}/attrs
}
attr_filter attr_filter.pre-proxy {
attrsfile = ${confdir}/attrs.pre-proxy
}
attr_filter attr_filter.access_reject {
key = %{User-Name}
attrsfile = ${confdir}/attrs.access_reject
}
attr_filter attr_filter.accounting_response {
key = %{User-Name}
attrsfile = ${confdir}/attrs.accounting_response
}
counter daily {
filename = ${db_dir}/db.daily
key = User-Name
count-attribute = Acct-Session-Time
reset = daily
counter-name = Daily-Session-Time
check-name = Max-Daily-Session
reply-name = Session-Timeout
allowed-servicetype = Framed-User
cache-size = 5000
}
always fail {
rcode = fail
}
always reject {
rcode = reject
}
always noop {
rcode = noop
}
always handled {
rcode = handled
}
always updated {
rcode = updated
}
always notfound {
rcode = notfound
}
always ok {
rcode = ok
simulcount = 0
mpp = no
}
expr {
}
digest {
}
expiration {
reply-message = Password Has Expired\r\n
}
logintime {
reply-message = You are calling outside your allowed timespan\r\n
Re: newbie - authentication error
Hi, [EMAIL PROTECTED] a écrit : Hi, here it is : freeradius -X okay. so you didnt edit the config - the package maintainers have edited it in weird ways and broken in. can you please post your radiusd.conf and sites-enabled/default there is no sites-enabled/default file. the default is only in the sites-available directory. cp /etc/freeradius/sites-available/default /etc/freeradius/sites-enabled/default that default file contains the brains of the server! then run the system again. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: newbie - authentication error
[EMAIL PROTECTED] a écrit : Hi, cp /etc/freeradius/sites-available/default /etc/freeradius/sites-enabled/default that default file contains the brains of the server! that's it. next step is to report the bug to debian package maintainer ... thanks everyone for patience and help. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
