Re: pptpd+freeradius+ldap ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user
On 18 Apr 2013, at 11:43, Alberto Aldrigo wrote: > rad_recv: Access-Request packet from host 10.1.98.52 port 45105, id=139, > length=77 > Service-Type = Framed-User > Framed-Protocol = PPP > User-Name = "user" > Calling-Station-Id = "10.1.0.136" > NAS-IP-Address = 127.0.1.1 > NAS-Port = 0 PPPD isn't sending a password. The hash is being found by LDAP fine, but there is no password in the radius request for it to validate. You need to fix PPPD, then it should work. Thanks, Adam Bishop gpg: 0x6609D460 Janet, the UK's research and education network. Janet(UK) is a trading name of Jisc Collections and Janet Limited, a not-for-profit company which is registered in England under No. 2881024 and whose Registered Office is at Lumen House, Library Avenue, Harwell Oxford, Didcot, Oxfordshire. OX11 0SG. VAT No. 614944238 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
pptpd+freeradius+ldap ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user
Hi everybody,
I'm having some problems with freeradius and ldap authentication.
I need to authenticate an user connecting in vpn to my pptpd daemon,
which will ask permission to freeradius.
I installed freeradius and configured it to use ldap in this way (i
stripped comments to shorten the config files):
sites-available/default:
authorize {
ldap
preprocess
chap
mschap
digest
suffix
eap {
ok = return
}
expiration
logintime
pap
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
Auth-Type LDAP {
ldap
}
}
preacct {
preprocess
acct_unique
suffix
files
}
accounting {
detail
unix
radutmp
exec
}
session {
radutmp
}
post-auth {
ldap
exec
Post-Auth-Type REJECT {
attr_filter.access_reject
}
}
pre-proxy {
}
post-proxy {
eap
}
modules/ldap:
ldap {
server = "10.1.98.50"
identity = "cn=admin,dc=domain,dc=private"
password = password
basedn = "dc=domain,dc=private"
filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
ldap_connections_number = 5
timeout = 4
timelimit = 3
net_timeout = 1
tls {
start_tls = no
}
dictionary_mapping = ${confdir}/ldap.attrmap
password_attribute = userPassword
edir_account_policy_check = no
}
radiusd.conf
prefix = /usr
exec_prefix = /usr
sysconfdir = /etc
localstatedir = /var
sbindir = ${exec_prefix}/sbin
logdir = /var/log/freeradius
raddbdir = /etc/freeradius
radacctdir = ${logdir}/radacct
name = freeradius
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/${name}
db_dir = ${raddbdir}
libdir = /usr/lib/freeradius
pidfile = ${run_dir}/${name}.pid
user = freerad
group = freerad
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
listen {
type = auth
ipaddr = *
port = 0
}
listen {
ipaddr = *
port = 0
type = acct
}
hostname_lookups = no
allow_core_dumps = no
regular_expressions= yes
extended_expressions= yes
log {
destination = files
file = ${logdir}/radius.log
syslog_facility = daemon
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
}
checkrad = ${sbindir}/checkrad
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
proxy_requests = yes
$INCLUDE proxy.conf
$INCLUDE clients.conf
thread pool {
start_servers = 5
max_servers = 32
min_spare_servers = 3
max_spare_servers = 10
max_requests_per_server = 0
}
modules {
$INCLUDE ${confdir}/modules/
$INCLUDE eap.conf
}
instantiate {
exec
expr
expiration
logintime
}
$INCLUDE policy.conf
$INCLUDE sites-enabled/
When I run freeradius -X this is what I get:
FreeRADIUS Version 2.1.10, for host x86_64-pc-linux-gnu, built on Sep 24
2012 at 17:58:57
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /etc/freeradius/radiusd.conf
including configuration file /etc/freeradius/proxy.conf
including configuration file /etc/freeradius/clients.conf
including files in directory /etc/freeradius/modules/
including configuration file /etc/freeradius/modules/passwd
including configuration file
/etc/freeradius/modules/sqlcounter_expire_on_login
including configuration file /etc/freeradius/modules/linelog
including configuration file /etc/freeradius/modules/policy
including configuration file /etc/freeradius/modules/counter
including configuration file /etc/freeradius/modules/realm
including configuration file /etc/freeradius/modules/expiration
including configuration file /etc/freeradius/modules/mac2ip
including configuration file /etc/freeradius/modules/dynamic_clients
including configuration file /etc/freeradius/modules/mac2vlan
including configuration file /etc/freeradius/modules/smsotp
including configuration file /etc/freeradius/modules/cui
including configuration file /etc/freeradius/modules/chap
including configuration file /etc/freeradius/modules/detail.example.com
including configuration file /etc/freeradius/modules/smbpasswd
including configuration file /etc/freeradius/modules/sradutmp
including configuration file /etc/freeradius/modules/etc_group
including configuration file /etc/freeradius/modules/attr_rewrite
including configuration file /etc/freeradius/modules/pap
including configuration file /etc/freeradius/modules/radutmp
including configuration file /etc/freeradius/modules/echo
including configuration file /etc/freeradius/modules/ippool
including configuration file /etc/freeradius/modules/attr_filter
including configuration file /etc/freeradius/modules/otp
including configuration file /etc/freeradi
Re: freeraduis LDAP error
Il 04/05/2012 09:35, dhanushka ranasinghe ha scritto: > User-Name = "dhanush...@wso2.com" > User-Password = "dcn05c4-1282" I hope you realize you've sent your credentials to a public mailing list... BYtE! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeraduis LDAP error
Hi, > when i removed "Auth-Type := PAP" lineradius not checking > password , even when wrong password is used user get the > authenticated. you then have a hardcoded Accept somewhere in your config alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeraduis LDAP error
Hi...
Relay sorry if i make any trouble...Thanks lot for the every one who
try to solve my issue...
Thank You
Dhanushka
On 4 May 2012 13:22, Alan DeKok wrote:
> dhanushka ranasinghe wrote:
>> with the blow configuration .in user file
>
> Which you were told was wrong.
>
>> I test the radius access from command line , by entering wrong
>> password [1] and correct password [2] .., in that case radius respond
>> fine, Issue only occurs [3] when access via ubuntu machine
>> (WPAsupplicant) ...
>
> Which doesn't do PAP authentication.
>
>> # Executing group from file /etc/freeradius/sites-enabled/default
>> Thu May 3 11:50:26 2012 : Info: +- entering group PAP {...}
>> Thu May 3 11:50:26 2012 : Info: [pap] ERROR: You set 'Auth-Type =
>> PAP' for a request that does not contain a User-Password attribute!
>
> Which is the same message as before. The solution is the same.
>
> You have been working HARD to avoid solving this problem. The
> solution to the problem is simple. The debug output TELLS YOU what to do.
>
> Go do it.
>
> You have had a number of people try to help you. These people are
> doing MORE WORK than you are to solve the problem. Do as you were told.
>
> If you keep ignoring the instructions on this list, you will be
> unsubscribed and banned. The reason is simple: you're wasting
> everyone's time by asking questions, and ignoring the answers
>
> That's no longer acceptable.
>
> Alan DeKok.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeraduis LDAP error
dhanushka ranasinghe wrote:
> with the blow configuration .in user file
Which you were told was wrong.
> I test the radius access from command line , by entering wrong
> password [1] and correct password [2] .., in that case radius respond
> fine, Issue only occurs [3] when access via ubuntu machine
> (WPAsupplicant) ...
Which doesn't do PAP authentication.
> # Executing group from file /etc/freeradius/sites-enabled/default
> Thu May 3 11:50:26 2012 : Info: +- entering group PAP {...}
> Thu May 3 11:50:26 2012 : Info: [pap] ERROR: You set 'Auth-Type =
> PAP' for a request that does not contain a User-Password attribute!
Which is the same message as before. The solution is the same.
You have been working HARD to avoid solving this problem. The
solution to the problem is simple. The debug output TELLS YOU what to do.
Go do it.
You have had a number of people try to help you. These people are
doing MORE WORK than you are to solve the problem. Do as you were told.
If you keep ignoring the instructions on this list, you will be
unsubscribed and banned. The reason is simple: you're wasting
everyone's time by asking questions, and ignoring the answers
That's no longer acceptable.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeraduis LDAP error
Hi...guys...
with the blow configuration .in user file
DEFAULT Ldap-Group == "cn=employees,ou=group,dc=ldap,dc=home,dc=com",
Auth-Type := PAP
Reply-Message = "You are Accepted"
DEFAULT Auth-Type := Reject
I test the radius access from command line , by entering wrong
password [1] and correct password [2] .., in that case radius respond
fine, Issue only occurs [3] when access via ubuntu machine
(WPAsupplicant) ...
eg --
1) radtest username wrong-password 192.168.0.63 1812 testing123
Sending Access-Request of id 176 to 192.168.0.63 port 1812
User-Name = "dhanush...@wso2.com"
User-Password = "dcn05c4-128222"
NAS-IP-Address = 192.168.0.60
NAS-Port = 1812
rad_recv: Access-Reject packet from host 192.168.0.63 port 1812,
id=176, length=38
2) radtest username correct-password 192.168.0.63 1812 testing123
Sending Access-Request of id 167 to 192.168.0.63 port 1812
User-Name = "dhanush...@wso2.com"
User-Password = "dcn05c4-1282"
NAS-IP-Address = 192.168.0.60
NAS-Port = 1812
rad_recv: Access-Accept packet from host 192.168.0.63 port 1812,
id=167, length=38
3)
# Executing group from file /etc/freeradius/sites-enabled/default
Thu May 3 11:50:26 2012 : Info: +- entering group PAP {...}
Thu May 3 11:50:26 2012 : Info: [pap] ERROR: You set 'Auth-Type =
PAP' for a request that does not contain a User-Password attribute!
Thu May 3 11:50:26 2012 : Info: ++[pap] returns invalid
Thu May 3 11:50:26 2012 : Info: Failed to authenticate the user.
Thank you
Dhanushka
On 4 May 2012 11:58, Fajar A. Nugraha wrote:
> On Fri, May 4, 2012 at 1:15 PM, dhanushka ranasinghe
> wrote:
>> Hi..
>>
>> when i removed "Auth-Type := PAP" line radius not checking
>> password , even when wrong password is used user get the
>> authenticated.
>
> What does the debug log say?
>
> My guess is you have Auth-Type := Accept somewhere.
>
> --
> Fajar
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeraduis LDAP error
On Fri, May 4, 2012 at 1:15 PM, dhanushka ranasinghe wrote: > Hi.. > > when i removed "Auth-Type := PAP" line radius not checking > password , even when wrong password is used user get the > authenticated. What does the debug log say? My guess is you have Auth-Type := Accept somewhere. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeraduis LDAP error
Hi.. when i removed "Auth-Type := PAP" lineradius not checking password , even when wrong password is used user get the authenticated. Thank You Dhanushka On 4 May 2012 11:31, Fajar A. Nugraha wrote: > On Fri, May 4, 2012 at 12:33 PM, dhanushka ranasinghe > wrote: >> Hi.. >> >> Seems like radius caching session thats why its got connected , as >> i mention my LDAP uses SHA as password encrypted method , is there any >> way to sort this issue and what configuration need to use in order to >> fix this > > Remove the configuration lines that break the server? > > -- > Fajar > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeraduis LDAP error
On Fri, May 4, 2012 at 12:33 PM, dhanushka ranasinghe wrote: > Hi.. > > Seems like radius caching session thats why its got connected , as > i mention my LDAP uses SHA as password encrypted method , is there any > way to sort this issue and what configuration need to use in order to > fix this Remove the configuration lines that break the server? -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeraduis LDAP error
Hi.. Seems like radius caching session thats why its got connected , as i mention my LDAP uses SHA as password encrypted method , is there any way to sort this issue and what configuration need to use in order to fix this Thank You Dhanushka On 4 May 2012 10:52, dhanushka ranasinghe wrote: > ahh yes my LDAP server stors password in SHA > > Thank you > Dhanushka > > On 4 May 2012 09:40, dhanushka ranasinghe wrote: >> Hi... >> >> for some reason i got via the error message , but radius server >> authenticate the users even though they entered wrong password, is >> there any reason for that >> >> Thank You >> Dhanushka >> >> >> On 4 May 2012 06:34, Fajar A. Nugraha wrote: >>> On Fri, May 4, 2012 at 7:56 AM, dhanushka ranasinghe >>> wrote: Hi...guys,, in user file i have the following configuration as well, DEFAULT Ldap-Group == "cn=employees,ou=group,dc=ldap,dc=home,dc=com", >>> Auth-Type := PAP >>> >>> If your LDAP server does NOT store passwords as clear text, that line >>> pretty much qualifies as breaking the server. >>> >>> -- >>> Fajar >>> - >>> List info/subscribe/unsubscribe? See >>> http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeraduis LDAP error
ahh yes my LDAP server stors password in SHA Thank you Dhanushka On 4 May 2012 09:40, dhanushka ranasinghe wrote: > Hi... > > for some reason i got via the error message , but radius server > authenticate the users even though they entered wrong password, is > there any reason for that > > Thank You > Dhanushka > > > On 4 May 2012 06:34, Fajar A. Nugraha wrote: >> On Fri, May 4, 2012 at 7:56 AM, dhanushka ranasinghe >> wrote: >>> Hi...guys,, >>> >>> in user file i have the following configuration as well, >>> >>> DEFAULT Ldap-Group == "cn=employees,ou=group,dc=ldap,dc=home,dc=com", >> >>> Auth-Type := PAP >> >> If your LDAP server does NOT store passwords as clear text, that line >> pretty much qualifies as breaking the server. >> >> -- >> Fajar >> - >> List info/subscribe/unsubscribe? See >> http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeraduis LDAP error
Hi... for some reason i got via the error message , but radius server authenticate the users even though they entered wrong password, is there any reason for that Thank You Dhanushka On 4 May 2012 06:34, Fajar A. Nugraha wrote: > On Fri, May 4, 2012 at 7:56 AM, dhanushka ranasinghe > wrote: >> Hi...guys,, >> >> in user file i have the following configuration as well, >> >> DEFAULT Ldap-Group == "cn=employees,ou=group,dc=ldap,dc=home,dc=com", > >> Auth-Type := PAP > > If your LDAP server does NOT store passwords as clear text, that line > pretty much qualifies as breaking the server. > > -- > Fajar > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeraduis LDAP error
On Fri, May 4, 2012 at 7:56 AM, dhanushka ranasinghe wrote: > Hi...guys,, > > in user file i have the following configuration as well, > > DEFAULT Ldap-Group == "cn=employees,ou=group,dc=ldap,dc=home,dc=com", > Auth-Type := PAP If your LDAP server does NOT store passwords as clear text, that line pretty much qualifies as breaking the server. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeraduis LDAP error
Hi...guys,,
in user file i have the following configuration as well,
DEFAULT Ldap-Group == "cn=employees,ou=group,dc=ldap,dc=home,dc=com",
Auth-Type := PAP
Reply-Message = "You are Accepted"
DEFAULT Auth-Type := Reject
Thank You
Dhanushka
On 3 May 2012 21:40, Alan DeKok wrote:
> dhanushka ranasinghe wrote:
>> im getting this error when radius authenticating with LDAP, is there
>> any way to sort the issue
>
> Yes.
>
> Don't edit the configuration and break the server.
>
>> # Executing group from file /etc/freeradius/sites-enabled/default
>> Thu May 3 11:50:26 2012 : Info: +- entering group PAP {...}
>> Thu May 3 11:50:26 2012 : Info: [pap] ERROR: You set 'Auth-Type =
>> PAP' for a request that does not contain a User-Password attribute!
>
> What part of that message is unclear?
>
> Alan DeKok.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeraduis LDAP error
dhanushka ranasinghe wrote:
> im getting this error when radius authenticating with LDAP, is there
> any way to sort the issue
Yes.
Don't edit the configuration and break the server.
> # Executing group from file /etc/freeradius/sites-enabled/default
> Thu May 3 11:50:26 2012 : Info: +- entering group PAP {...}
> Thu May 3 11:50:26 2012 : Info: [pap] ERROR: You set 'Auth-Type =
> PAP' for a request that does not contain a User-Password attribute!
What part of that message is unclear?
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: freeraduis LDAP error
... did you set a default auth type? A lot of old how to docs have you do this
as a test to see if FR is working ... but it is easy to forget to undo when
your done.
Jake Sallee
Godfather of Bandwidth
System Engineer
University of Mary Hardin-Baylor
900 College St.
Belton TX. 76513
Fone: 254-295-4658
Phax: 254-295-4221
HTTP://WWW.UMHB.EDU
-Original Message-
From: freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org
[mailto:freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org] On
Behalf Of dhanushka ranasinghe
Sent: Thursday, May 03, 2012 10:57 AM
To: FreeRadius users mailing list
Subject: freeraduis LDAP error
hi guys
im getting this error when radius authenticating with LDAP, is there any way
to sort the issue
# Executing group from file /etc/freeradius/sites-enabled/default
Thu May 3 11:50:26 2012 : Info: +- entering group PAP {...} Thu May 3
11:50:26 2012 : Info: [pap] ERROR: You set 'Auth-Type = PAP' for a request that
does not contain a User-Password attribute!
Thu May 3 11:50:26 2012 : Info: ++[pap] returns invalid Thu May 3 11:50:26
2012 : Info: Failed to authenticate the user.
Thank You
Dhanushka
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeraduis LDAP error
hi guys
im getting this error when radius authenticating with LDAP, is there
any way to sort the issue
# Executing group from file /etc/freeradius/sites-enabled/default
Thu May 3 11:50:26 2012 : Info: +- entering group PAP {...}
Thu May 3 11:50:26 2012 : Info: [pap] ERROR: You set 'Auth-Type =
PAP' for a request that does not contain a User-Password attribute!
Thu May 3 11:50:26 2012 : Info: ++[pap] returns invalid
Thu May 3 11:50:26 2012 : Info: Failed to authenticate the user.
Thank You
Dhanushka
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ldap error
Harshavardhan Ch wrote:
> Hello,
> i am new to radius server,i made more changes in *user*s
> configuration file ("/usr/local/etc/raddb/:vi users") ,after configuring
> (radiusd -X) radius server was not configured ,output doesn't generate
> any *errors* or *warnings*, i attached the output file .
There is *no* good reason to post the output as an ODT file.
You can add the relevant messages as text in a post to this list.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm-ldap error for chap
Eric Eric wrote:
> with Cleartext-password or User-Password I have the same error. radius
> -x and my configs for chap are here. I searched a lot and test it but
> not found why it can't find clear text password. Should I add other
> thing? or change another file?
Does your database have a clear-text password for the user? It looks
like the answer is "no".
> It worked for pap and I added :
> in users :
>
> DEFAULT Client-IP-Address == 10.10.10.2 , Auth-Type := Vpn, Autz-Type
> := Vpn, Post-Auth-Type := Vpn, Session-type := Vpn
I don't see why all that is necessary.
> in radius.conf:
> ldap ldap-Vpn{
>
> password_attribute = userPassword
> password_header = "{clear}"
Well... it's not finding the "userPassword" attribute in LDAP.
> Auth-Type Vpn{
> chap
That makes no sense. You've added a LOT to the server for little value.
Try this:
1) start with a default install / configuration files
2) configure LDAP
3) get PAP working
4) do NOTHING ELSE until you get PAP working
5) get CHAP working (radclient will do this)
6) THEN go customize the heck out of the server.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm-ldap error for chap
CHAP-Password = 0x008a7f35b2a09df3aa79b659a9909ca15f Message-Authenticator = 0x540b9a3a9a929db1621fd2cb4fa1b2cc rlm_chap: Setting 'Auth-Type := CHAP' rlm_ldap: - authorize rlm_ldap: performing user authorization for test rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: (re)connect to 10.10.10.27:389, authentication 0 rlm_ldap: bind as / to 10.10.10.27:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: checking if remote access for test is allowed by vpnAccess rlm_ldap: Adding radiusSimultaneousUse as Simultaneous-Use, value 1 & op=21 rlm_ldap: extracted attribute Max-Monthly-Session from generic item Max-Monthly-Session := 0 rlm_ldap: Adding radiusIdleTimeout as Idle-Timeout, value 1200 & op=11 rlm_ldap: extracted attribute Acct-Interim-Interval from generic item Acct-Interim-Interval := 300 rlm_ldap: Adding radiusSimultaneousUse as Simultaneous-Use, value 1 & op=21 rlm_ldap: extracted attribute Max-Monthly-Session from generic item Max-Monthly-Session := 108 rlm_ldap: Adding radiusIdleTimeout as Idle-Timeout, value 1200 & op=11 rlm_ldap: extracted attribute Acct-Interim-Interval from generic item Acct-Interim-Interval := 300 rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: Adding radiusSessionTimeout as Session-Timeout, value 10 & op=11 rlm_ldap: user test authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 rlm_chap: login attempt by "test" with CHAP password rlm_chap: Could not find clear text password for user test Login incorrect (rlm_chap: Clear text password not available): [test] (from client vpntist port 128 cli 10.10.10.24) I saw the problem in faq but I didn't find what is my mistake. The config is: --- On Wed, 2/24/10, Alan Buxey wrote: From: Alan Buxey Subject: Re: rlm-ldap error for chap To: "FreeRadius users mailing list" Date: Wednesday, February 24, 2010, 7:45 PM Hi, > Now to make matters a touch bit more complicated FreeRADIUS changed how > it accessed the clear text password in its set of attributes. In older > versions of FreeRADIUS it was known as User-Password, but that produced > an unfortunate ambiguity and it was later modified to be > Cleartext-Password, I'm sorry but I don't remember the version this was > modified in. version 1.1.4 brought this into play. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm-ldap error for chap
Hi, > Now to make matters a touch bit more complicated FreeRADIUS changed how > it accessed the clear text password in its set of attributes. In older > versions of FreeRADIUS it was known as User-Password, but that produced > an unfortunate ambiguity and it was later modified to be > Cleartext-Password, I'm sorry but I don't remember the version this was > modified in. version 1.1.4 brought this into play. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm-ldap error for chap
I owe you an apology, I said not to edit /etc/raddb/ldap.attrmap, but you do. I always forget that the clear text password mapping is not in ldap.attrmap by default, I assume that because of the inherent security risks. By forcing you to add it you'll be forcefully aware of what you've done. Here's the issue, you don't want unprivileged user's from reading someones password from the directory. It's vital you protect the clear text password with some type of access control in your ldap server. How you do that depends on the particular ldap server you're using. You might consider using precomputed hashes such as LT and NT. That would mitigate the exposure of a clear text password, but hashes should be protected as well by access control. Now to make matters a touch bit more complicated FreeRADIUS changed how it accessed the clear text password in its set of attributes. In older versions of FreeRADIUS it was known as User-Password, but that produced an unfortunate ambiguity and it was later modified to be Cleartext-Password, I'm sorry but I don't remember the version this was modified in. For old versions of FreeRADIUS you'll need this in ldap.attrmap checkItem User-Password userPassword For modern versions of FreeRADIUS you'll need this in ldap.attrmap checkItem Cleartext-Password userPassword If you're still having problems then please follow-up with the full contents of your config file (not snippets) and the output of radiusd -X. -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm-ldap error for chap
Excuse me for replicated emails. I'm using old version of freeradius 1.1.3! When I tried to upgrade I had a problem and it is still in old version. this is the result of search in ldap server: dn: uid=test ,ou=example,... uid: test givenName: test objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetorgperson objectClass: eduperson objectClass: radiusobjectprofile objectClass: radiusprofile sn: test cn: test test userPassword: 123456 vpnProfileDn:... ... --- On Tue, 2/23/10, John Dennis wrote: From: John Dennis Subject: Re: rlm-ldap error for chap To: "FreeRadius users mailing list" Cc: "Eric Eric" Date: Tuesday, February 23, 2010, 3:46 PM On 02/23/2010 05:31 AM, Eric Eric wrote: > I changed Cleartext-Password in ldap.attrmap to User-Password Don't do that, that's got nothing to do with finding the user's password in your directory. It's the password_attribute in your ldap config which controls how to find the users password in your directory. But first you must find the user in your directory, which is controlled by the basedn and filter ldap config items. What are they set to and what does ldapsearch return when you pass ldapsearch the same basedn and filter? -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm-ldap error for chap
On 02/23/2010 05:31 AM, Eric Eric wrote: I changed Cleartext-Password in ldap.attrmap to User-Password Don't do that, that's got nothing to do with finding the user's password in your directory. It's the password_attribute in your ldap config which controls how to find the users password in your directory. But first you must find the user in your directory, which is controlled by the basedn and filter ldap config items. What are they set to and what does ldapsearch return when you pass ldapsearch the same basedn and filter? -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm-ldap error for chap
On 02/23/2010 01:32 AM, Eric Eric wrote: Hi I want to change authentication pap to chap. The users with clear passwords are in ldap server. but the is error with clear password in rlm-ldap What version of FreeRADIUS are you running? Normally it's the first thing in the debug output, except for old versions. What does an ldap search of the test user's dn return? (use the ldapsearch command line utility). My guess is there isn't an attribute called userPassword. -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm-ldap error for chap
Excuse me my reply was incomplete and sent with error.
I changed Cleartext-Password in ldap.attrmap to User-Password
and now:
rlm_ldap: LDAP userPassword mapped to RADIUS User-Password
and checked with password_header = "{clear}" and without it. but error is the
same as before.
--- On Tue, 2/23/10, Eric Eric wrote:
From: Eric Eric
Subject: rlm-ldap error for chap
To: "FreeRadius users mailing list"
Date: Tuesday, February 23, 2010, 10:31 AM
I changed Cleartext-Password in ldap.attrmap to User-Password
and now:
rlm_ldap: LDAP userPassword mapped to RADIUS User-Password
and checked with password_header = "{clear}" and without it. b
--- On Tue, 2/23/10, Fajar A. Nugraha wrote:
From: Fajar A. Nugraha
Subject: Re: rlm-ldap error for chap
To: "FreeRadius users mailing list"
Date: Tuesday, February 23, 2010, 6:47 AM
On Tue, Feb 23, 2010 at 1:32 PM, Eric Eric wrote:
>
> Hi
> I
want to change authentication pap to chap. The users with clear passwords are
in ldap server. but the is error with clear password in rlm-ldap
> rlm_ldap: LDAP userPassword mapped to RADIUS Cleartext-Password
is the cleartext password there?
> ldap ldap-Vpn{
>
> password_attribute = userPassword
> password_header = "{clear}"
>
> }
does the cleartext password have a header?
--
Fajar
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-Inline Attachment Follows-
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm-ldap error for chap
I changed Cleartext-Password in ldap.attrmap to User-Password
and now:
rlm_ldap: LDAP userPassword mapped to RADIUS User-Password
and checked with password_header = "{clear}" and without it. b
--- On Tue, 2/23/10, Fajar A. Nugraha wrote:
From: Fajar A. Nugraha
Subject: Re: rlm-ldap error for chap
To: "FreeRadius users mailing list"
Date: Tuesday, February 23, 2010, 6:47 AM
On Tue, Feb 23, 2010 at 1:32 PM, Eric Eric wrote:
>
> Hi
> I
want to change authentication pap to chap. The users with clear passwords are
in ldap server. but the is error with clear password in rlm-ldap
> rlm_ldap: LDAP userPassword mapped to RADIUS Cleartext-Password
is the cleartext password there?
> ldap ldap-Vpn{
>
> password_attribute = userPassword
> password_header = "{clear}"
>
> }
does the cleartext password have a header?
--
Fajar
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm-ldap error for chap
On Tue, Feb 23, 2010 at 1:32 PM, Eric Eric wrote:
>
> Hi
> I want to change authentication pap to chap. The users with clear passwords
> are in ldap server. but the is error with clear password in rlm-ldap
> rlm_ldap: LDAP userPassword mapped to RADIUS Cleartext-Password
is the cleartext password there?
> ldap ldap-Vpn{
>
> password_attribute = userPassword
> password_header = "{clear}"
>
> }
does the cleartext password have a header?
--
Fajar
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm-ldap error for chap
Hi I want to change authentication pap to chap. The users with clear passwords are in ldap server. but the is error with clear password in rlm-ldap radiusd -x Starting - reading configuration files ... Using deprecated naslist file. Support for this will go away soon. Module: Loaded exec rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP Module: Instantiated mschap (mschap) Module: Loaded LDAP rlm_ldap: Registering ldap_groupcmp for Ldap-Group rlm_ldap: Creating new attribute ldap-Dial-Ldap-Group rlm_ldap: Registering ldap_groupcmp for ldap-Dial-Ldap-Group rlm_ldap: Registering ldap_xlat with xlat_name ldap-Dial rlm_ldap: reading ldap<->radius mappings from file /etc/raddb/ldap.attrmap rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id rlm_ldap: LDAP sambaLMPassword mapped to RADIUS LM-Password rlm_ldap: LDAP sambaNTPassword mapped to RADIUS NT-Password rlm_ldap: LDAP userPassword mapped to RADIUS Cleartext-Password rlm_ldap: LDAP sambaAcctFlags mapped to RADIUS SMB-Account-CTRL-TEXT rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network rlm_ldap: LDAP radiusClass mapped to RADIUS Class rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS Framed-AppleTalk-Link rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS Framed-AppleTalk-Network rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS Framed-AppleTalk-Zone rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message conns: 0x90f2d90 Module: Instantiated ldap (ldap-Vpn) Module: Loaded always Module: Instantiated always (ok) Module: Loaded preprocess Module: Instantiated preprocess (preprocess) Module: Loaded detail Module: Instantiated detail (auth_log) Module: Loaded realm Module: Instantiated realm (suffix) Module: Loaded SQL Counter Module: Instantiated sqlcounter (monthly-Vpn) rlm_ldap: Registering ldap_groupcmp for Ldap-Group rlm_ldap: Creating new attribute ldap-Vpn-Ldap-Group rlm_ldap: Registering ldap_groupcmp for ldap-Vpn-Ldap-Group rlm_ldap: Registering ldap_xlat with xlat_name ldap-Vpn rlm_ldap: reading ldap<->radius mappings from file /etc/raddb/ldap.attrmap rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id rlm_ldap: LDAP sambaLMPassword mapped to RADIUS LM-Password rlm_ldap: LDAP sambaNTPassword mapped to RADIUS NT-Password rlm_ldap: LDAP userPassword mapped to RADIUS Cleartext-Password rlm_ldap: LDAP sambaAcctFlags mapped to RADIUS SMB-Account-CTRL-TEXT rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address r
Re: Still with ldap error
Sergio Belkin wrote: > Hi, > > Some months ago I mentioned a problem that it seems to be non-fatal > but it still is there: > > Fri May 22 10:00:50 2009 : Error: rlm_ldap: ldap_search() failed: LDAP > connection lost. > Fri May 22 10:00:50 2009 : Info: rlm_ldap: Attempting reconnect > > > This problem appears more or less every 90 seconds. > > on ldap logs you can see things like that: ... > May 22 04:18:01 ldap-server slapd[27663]: conn=219 fd=14 closed (idletimeout) That would seem to be definitive. > I've tried modifying idletimeout y timelimit on slapd.conf, and > modifying limits per ldap radius user. > > I was playing with timeout and timelimit and nothing changed it. > Raising and lowering Well.. it's not a RADIUS problem. File a bug with OpenLDAP. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Still with ldap error
Hi, Some months ago I mentioned a problem that it seems to be non-fatal but it still is there: Fri May 22 10:00:50 2009 : Error: rlm_ldap: ldap_search() failed: LDAP connection lost. Fri May 22 10:00:50 2009 : Info: rlm_ldap: Attempting reconnect This problem appears more or less every 90 seconds. on ldap logs you can see things like that: May 22 04:16:40 ldap-server slapd[27663]: conn=219 fd=14 ACCEPT from IP=127.0.0.1:56359 (IP=127.0.0.1:389) May 22 04:16:40 ldap-server slapd[27663]: conn=219 op=0 BIND dn="uid=jojo0l4,ou=people,dc=domain,dc=edu" method=128 May 22 04:16:40 ldap-server slapd[27663]: conn=219 op=0 BIND dn="uid=jojo0l4,ou=people,dc=domain,dc=edu" mech=SIMPLE ssf=0 May 22 04:16:40 ldap-server slapd[27663]: conn=219 op=0 RESULT tag=97 err=0 text= May 22 04:17:19 ldap-server slapd[27663]: conn=219 op=1 BIND anonymous mech=implicit ssf=0 May 22 04:17:19 ldap-server slapd[27663]: conn=219 op=1 BIND dn="uid=jojoi1,ou=people,dc=domain,dc=edu" method=128 May 22 04:17:19 ldap-server slapd[27663]: conn=219 op=1 BIND dn="uid=jojoi1,ou=people,dc=domain,dc=edu" mech=SIMPLE ssf=0 May 22 04:17:19 ldap-server slapd[27663]: conn=219 op=1 RESULT tag=97 err=0 text= May 22 04:18:01 ldap-server slapd[27663]: conn=219 fd=14 closed (idletimeout) May 22 09:31:50 ldap-server slapd[17574]: conn=219 fd=23 ACCEPT from IP=IPADDRESS:57845 (IP=0.0.0.0:636) May 22 09:31:50 ldap-server slapd[17574]: conn=219 fd=23 TLS established tls_ssf=256 ssf=256 May 22 09:31:50 ldap-server slapd[17574]: conn=219 op=0 BIND dn="uid=jojo2,ou=people,dc=domain,dc=edu" method=128 May 22 09:31:50 ldap-server slapd[17574]: conn=219 op=0 BIND dn="uid=jojo2,ou=people,dc=domain,dc=edu" mech=SIMPLE ssf=0 May 22 09:31:50 ldap-server slapd[17574]: conn=219 op=0 RESULT tag=97 err=0 text= May 22 09:31:50 ldap-server slapd[17574]: conn=219 op=1 UNBIND May 22 09:31:50 ldap-server slapd[17574]: conn=219 fd=23 closed May 22 10:07:45 ldap-server slapd[22236]: conn=219 fd=17 ACCEPT from IP=IPADDRESS:36313 (IP=0.0.0.0:636) May 22 10:07:45 ldap-server slapd[22236]: conn=219 fd=17 TLS established tls_ssf=256 ssf=256 I've tried modifying idletimeout y timelimit on slapd.conf, and modifying limits per ldap radius user. I was playing with timeout and timelimit and nothing changed it. Raising and lowering Using FreeRADIUS Version 2.1.1, for host x86_64-unknown-linux-gnu, built on Oct 21 2008 at 15:14:37 I'd thank you your help! -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RE : RE : RE : freeradius, ldap error - HELP ME!
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 peppeska ha scritto: > ma script to start pppoe-server is > > > debian:~# cat start-pppoe2.sh > #!/bin/bash > MAX=250 > BASE=10.67.7.1 > NAT=10.67.7.0/24 > MYIP=193.205.94.13 > iptables -A INPUT -i eth0 -s $NAT -j DROP > iptables -t nat -A POSTROUTING -s $NAT -j SNAT --to-source $MYIP > pppoe-server -T 60 -I eth1 -N $MAX -C PPPoE-R -S PPPoE-R -R $BASE > debian:~# nobody can help me? - -- -- |Giuseppe Moscato aka peppeska - Linux User - no html messages---| |[EMAIL PROTECTED] - http://peppeska.altervista.org--| |Fingerprint = 90DC 05A8 2D65 BC04 BD1B 4C07 C389 434B 3201 319D| -- -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.3 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGA+6VkA6hcnFZI/YRAp2cAKCov2R+AetOdFgaJrqntCRX/ltpNACgmnoJ 3PvvnqnjYBKDyNeKkFNSr60= =7072 -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RE : RE : RE : freeradius, ldap error - HELP ME!
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Alan DeKok ha scritto: > peppeska wrote: > ... >> Sending Access-Accept of id 50 to 127.0.0.1 port 1028 > ... >> Mar 21 19:21:41 applejack pppd[18529]: MS-CHAP authentication failed: > > PPPD is broken. > And wath I most do now? @Thibault Le Meur I use Your dictonary... the final respone is: Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1:1028, id=51, length=136 Service-Type = Framed-User Framed-Protocol = PPP User-Name = "peppeska" MS-CHAP-Challenge = 0xb6b462d0d978bcbfe51e4783f4a3dd32 MS-CHAP2-Response = 0xa0002138a2441156e5ed33506db0e19e960db1cfdb576490d5d29b54d30317856b01d0780f1d51ef5fa7 NAS-IP-Address = 127.0.0.1 NAS-Port = 0 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 rlm_mschap: Found MS-CHAP attributes. Setting 'Auth-Type = mschap' modcall[authorize]: module "mschap" returns ok for request 0 rlm_realm: No '@' in User-Name = "peppeska", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 0 users: Matched entry DEFAULT at line 173 users: Matched entry DEFAULT at line 185 modcall[authorize]: module "files" returns ok for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for peppeska radius_xlat: '(cn=peppeska)' radius_xlat: 'dc=example' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to localhost:389, authentication 0 rlm_ldap: bind as cn=admin,dc=example/root to localhost:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in dc=example, with filter (cn=peppeska) rlm_ldap: Added password billuzzo in check items rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user peppeska authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 0 modcall: leaving group authorize (returns ok) for request 0 rad_check_password: Found Auth-Type MS-CHAP auth: type "MS-CHAP" Processing the authenticate section of radiusd.conf modcall: entering group MS-CHAP for request 0 rlm_mschap: Told to do MS-CHAPv2 for peppeska with NT-Password rlm_mschap: adding MS-CHAPv2 MPPE keys modcall[authenticate]: module "mschap" returns ok for request 0 modcall: leaving group MS-CHAP (returns ok) for request 0 Login OK: [peppeska/] (from client localhost port 0) Processing the post-auth section of radiusd.conf modcall: entering group post-auth for request 0 modcall[post-auth]: module "ldap" returns noop for request 0 modcall: leaving group post-auth (returns noop) for request 0 Sending Access-Accept of id 51 to 127.0.0.1 port 1028 Framed-IP-Address = 255.255.255.254 Framed-MTU = 576 Service-Type = Framed-User Framed-Protocol = PPP Framed-Compression = Van-Jacobson-TCP-IP MS-CHAP2-Success = 0xa0533d32463945383842443446423034313543303139374631363834344244424532413836423234323346 MS-MPPE-Recv-Key = 0xee31ff0993d0e3b1589a2920ac31b3d8 MS-MPPE-Send-Key = 0x61bccd9e7dbd48aa264d2117a72ed2cc MS-MPPE-Encryption-Policy = 0x0002 MS-MPPE-Encryption-Types = 0x0004 Finished request 0 Going to the next request - --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 127.0.0.1:1028, id=51, length=136 Sending duplicate reply to client localhost:1028 - ID: 51 Re-sending Access-Accept of id 51 to 127.0.0.1 port 1028 - --- Walking the entire request list --- Cleaning up request 0 ID 51 with timestamp 46018448 Nothing to do. Sleeping until we see a request. debian:/etc/freeradius# tail /var/log/messages Mar 21 19:38:15 debian -- MARK -- Mar 21 19:58:19 debian -- MARK -- Mar 21 20:15:14 debian pppd[4426]: Plugin radius.so loaded. Mar 21 20:15:14 debian pppd[4426]: RADIUS plugin initialized. Mar 21 20:15:15 debian pppd[4426]: pppd 2.4.4 started by root, uid 0 Mar 21 20:15:17 debian pppd[4426]: Using interface ppp0 Mar 21 20:15:17 debian pppd[4426]: Connect: ppp0 <--> /dev/pts/2 Mar 21 20:15:32 debian pppd[4426]: Peer peppeska failed CHAP authentication Mar 21 20:15:32 debian pppd[4426]: Connection terminated. Mar 21 20:15:33 debian pppd[4426]: Exit. debian:/etc/freeradius# ma script to start pppoe-server is debian:~# cat start-pppoe2.sh #!/bin/bash MAX=250 BASE=10.67.7.1 NAT=10.67.7.0/24 MYIP=193.205.94.13 iptables -A INPUT -i eth0 -s $NAT -j DROP iptables -t nat -A POSTROUTING -s $NAT -j SNAT --to-source $MYIP pppoe-server -T 60 -I eth1 -N $MAX -C
Re: RE : RE : RE : freeradius, ldap error - HELP ME!
> but plog: > > [EMAIL PROTECTED]:/home/peppeska# plog > Mar 21 19:21:18 applejack pppd[18527]: Plugin rp-pppoe.so loaded. > Mar 21 19:21:18 applejack pppd[18529]: pppd 2.4.4 started by root, uid 0 > Mar 21 19:21:19 applejack pppd[18529]: PPP session is 6 > Mar 21 19:21:19 applejack pppd[18529]: Using interface ppp0 > Mar 21 19:21:19 applejack pppd[18529]: Connect: ppp0 <--> tap1 > Mar 21 19:21:41 applejack pppd[18529]: MS-CHAP authentication failed: > Mar 21 19:21:41 applejack pppd[18529]: CHAP authentication failed > Mar 21 19:21:41 applejack pppd[18529]: Connection terminated. > [EMAIL PROTECTED]:/home/peppeska# poff > > UFFA!!! I promitt that I send a "Cassata Siciliana" to who resolv my > problem... > plog may not be enough: could you check the /var/log/messages Moreover, what dictionnary.microsoft file are you using ? Maybe it is lacking some attributes and radiusclient doesn't understand them. If you're not using the one I posted today, could you test with this one instead ? Thibault - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RE : RE : RE : freeradius, ldap error - HELP ME!
peppeska wrote: ... > Sending Access-Accept of id 50 to 127.0.0.1 port 1028 ... > Mar 21 19:21:41 applejack pppd[18529]: MS-CHAP authentication failed: PPPD is broken. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RE : RE : RE : freeradius, ldap error - HELP ME!
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Alan DeKok ha scritto: > peppeska wrote: >> Ok!!! >> Now I have this configuration >> >> INCLUDE /etc/radiusclient/dictionary.microsoft >> INCLUDE /etc/radiusclient/dictionary.ascend >> INCLUDE /etc/radiusclient/dictionary.compat >> INCLUDE /etc/radiusclient/dictionary.merit >> $INCLUDE /usr/share/freeradius/dictionary > > No. radiusclient can't use the FreeRADIUS dictionaries. > ook now I don't have the freeradius dictionary... now the freradius: Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1:1028, id=50, length=136 Service-Type = Framed-User Framed-Protocol = PPP User-Name = "peppeska" MS-CHAP-Challenge = 0x3733ba43d6d8debb5b0302f590250afd MS-CHAP2-Response = 0x0f00997701aa0d8775038e203d7c0487880fe6ba63b22268fbe23624491c47a9744354f94591fc730a90 NAS-IP-Address = 127.0.0.1 NAS-Port = 0 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 rlm_mschap: Found MS-CHAP attributes. Setting 'Auth-Type = mschap' modcall[authorize]: module "mschap" returns ok for request 0 rlm_realm: No '@' in User-Name = "peppeska", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 0 users: Matched entry DEFAULT at line 173 users: Matched entry DEFAULT at line 185 modcall[authorize]: module "files" returns ok for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for peppeska radius_xlat: '(cn=peppeska)' radius_xlat: 'dc=example' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to localhost:389, authentication 0 rlm_ldap: bind as cn=admin,dc=example/root to localhost:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in dc=example, with filter (cn=peppeska) rlm_ldap: Added password billuzzo in check items rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user peppeska authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 0 modcall: leaving group authorize (returns ok) for request 0 rad_check_password: Found Auth-Type MS-CHAP auth: type "MS-CHAP" Processing the authenticate section of radiusd.conf modcall: entering group MS-CHAP for request 0 rlm_mschap: Told to do MS-CHAPv2 for peppeska with NT-Password rlm_mschap: adding MS-CHAPv2 MPPE keys modcall[authenticate]: module "mschap" returns ok for request 0 modcall: leaving group MS-CHAP (returns ok) for request 0 Login OK: [peppeska/] (from client localhost port 0) Processing the post-auth section of radiusd.conf modcall: entering group post-auth for request 0 modcall[post-auth]: module "ldap" returns noop for request 0 modcall: leaving group post-auth (returns noop) for request 0 Sending Access-Accept of id 50 to 127.0.0.1 port 1028 Framed-IP-Address = 255.255.255.254 Framed-MTU = 576 Service-Type = Framed-User Framed-Protocol = PPP Framed-Compression = Van-Jacobson-TCP-IP MS-CHAP2-Success = 0x0f533d33344135313830413334423831353141383738414532454632414341303830394341423344393945 MS-MPPE-Recv-Key = 0x923e2c93c2156b71231ea782495f5b99 MS-MPPE-Send-Key = 0x44fe16f0095f4b51b33c59a5387f512c MS-MPPE-Encryption-Policy = 0x0002 MS-MPPE-Encryption-Types = 0x0004 Finished request 0 Going to the next request - --- Walking the entire request list --- Waking up in 6 seconds... - --- Walking the entire request list --- Cleaning up request 0 ID 50 with timestamp 4601790a Nothing to do. Sleeping until we see a request. but plog: [EMAIL PROTECTED]:/home/peppeska# plog Mar 21 19:21:18 applejack pppd[18527]: Plugin rp-pppoe.so loaded. Mar 21 19:21:18 applejack pppd[18529]: pppd 2.4.4 started by root, uid 0 Mar 21 19:21:19 applejack pppd[18529]: PPP session is 6 Mar 21 19:21:19 applejack pppd[18529]: Using interface ppp0 Mar 21 19:21:19 applejack pppd[18529]: Connect: ppp0 <--> tap1 Mar 21 19:21:41 applejack pppd[18529]: MS-CHAP authentication failed: Mar 21 19:21:41 applejack pppd[18529]: CHAP authentication failed Mar 21 19:21:41 applejack pppd[18529]: Connection terminated. [EMAIL PROTECTED]:/home/peppeska# poff UFFA!!! I promitt that I send a "Cassata Siciliana" to who resolv my problem... > - -- -- |Giuseppe Moscato aka peppeska - Linux User - no html messages---| |[EMAIL PROTECTED] - http://peppeska.altervista.org--| |Fingerprint = 90DC 05A8 2D65 BC04 BD1B
RE : freeradius, ldap error - HELP ME!
> -Message d'origine- > De : > [EMAIL PROTECTED] > radius.org > [mailto:[EMAIL PROTECTED] > sts.freeradius.org] De la part de peppeska > Envoyé : mercredi 21 mars 2007 18:36 > À : FreeRadius users mailing list > Objet : Re: RE : RE : RE : freeradius, ldap error - HELP ME! > > > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > Ok!!! > Now I have this configuration > > > > INCLUDE /etc/radiusclient/dictionary.microsoft > INCLUDE /etc/radiusclient/dictionary.ascend > INCLUDE /etc/radiusclient/dictionary.compat > INCLUDE /etc/radiusclient/dictionary.merit > $INCLUDE /usr/share/freeradius/dictionary Very Very Very Weird I'm curious about one thing: when you remove the last "$INCLUDE" line, does it work as described below ? I'm also wondering why only "INCLUDE" statement work unless the radiusclient code uses a hardoced "$INCLUDE" strncmp in dict.c Alan, I thought there was a plan to make the radiusclient hosted at freeradius.org so that It will benefit from Freeradius developpment: is it always a plan ? > And... (same roll of drumps) > > rad_recv: Access-Request packet from host 127.0.0.1:1028, > id=40, length=136 > Service-Type = Framed-User > Framed-Protocol = PPP > User-Name = "peppeska" > MS-CHAP-Challenge = 0x2b05b4344fc7309510ee443fac5c90bf > MS-CHAP2-Response = > 0x05006a01dac8d579188fab13d4f5b10524c274aba522 > 70d19850e5169d1e6410fe36c608d63ff061a401 > NAS-IP-Address = 127.0.0.1 > NAS-Port = 0 Better, > Sending Access-Accept of id 40 to 127.0.0.1 port 1028 > Framed-IP-Address = 255.255.255.254 > Framed-MTU = 576 > Service-Type = Framed-User > Framed-Protocol = PPP > Framed-Compression = Van-Jacobson-TCP-IP > MS-CHAP2-Success = > 0x05533d463841343638303834373332313835434433353945383639333946 > 3645323432363332373143 > MS-MPPE-Recv-Key = 0xeb3b2b7a46dfff70bdee5eb89a755804 > MS-MPPE-Send-Key = 0xe0d003c9754115e0063f7f832015f1c6 > MS-MPPE-Encryption-Policy = 0x0002 > MS-MPPE-Encryption-Types = 0x0004 Ok, you're done with Freeradius. > Well! it work! or not? As far as Freeradius is concerned yes. > because.. this is the pppoe-server log > > debian:~# plog > Mar 21 18:33:54 debian pppd[4306]: sent [LCP TermAck id=0x2] > Mar 21 18:33:54 debian pppd[4306]: rcvd [LCP TermAck id=0x2] > Mar 21 18:33:54 debian pppd[4306]: Connection terminated. Mar > 21 18:33:54 debian pppd[4306]: Waiting for 1 child processes... > Mar 21 18:33:54 debian pppd[4306]: script /usr/sbin/pppoe -n -I eth1 > - -e 5:32:c8:93:a2:15:29 -T 60 -S '', pid 4307 > Mar 21 18:33:55 debian pppd[4306]: Script /usr/sbin/pppoe -n > -I eth1 -e 5:32:c8:93:a2:15:29 -T 60 -S '' finished (pid > 4307), status = 0x1 Mar 21 18:33:55 debian pppd[4306]: Exit. debian:~# > > > boh!! I realy don't now why... Just a question: who is suposed to assign the IP address: Freeradius in Framed-IP-Address Attribute or your pppoe server ? Regards, Thibault - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RE : RE : RE : freeradius, ldap error - HELP ME!
peppeska wrote: > Ok!!! > Now I have this configuration > > INCLUDE /etc/radiusclient/dictionary.microsoft > INCLUDE /etc/radiusclient/dictionary.ascend > INCLUDE /etc/radiusclient/dictionary.compat > INCLUDE /etc/radiusclient/dictionary.merit > $INCLUDE /usr/share/freeradius/dictionary No. radiusclient can't use the FreeRADIUS dictionaries. Once freeradius-client is updated, it will use the FreeRADIUS dictionaries. But radiusclient can't. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RE : RE : RE : freeradius, ldap error - HELP ME!
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Ok!!! Now I have this configuration > INCLUDE /etc/radiusclient/dictionary.microsoft INCLUDE /etc/radiusclient/dictionary.ascend INCLUDE /etc/radiusclient/dictionary.compat INCLUDE /etc/radiusclient/dictionary.merit $INCLUDE /usr/share/freeradius/dictionary And... (same roll of drumps) rad_recv: Access-Request packet from host 127.0.0.1:1028, id=40, length=136 Service-Type = Framed-User Framed-Protocol = PPP User-Name = "peppeska" MS-CHAP-Challenge = 0x2b05b4344fc7309510ee443fac5c90bf MS-CHAP2-Response = 0x05006a01dac8d579188fab13d4f5b10524c274aba52270d19850e5169d1e6410fe36c608d63ff061a401 NAS-IP-Address = 127.0.0.1 NAS-Port = 0 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module "preprocess" returns ok for request 1 rlm_mschap: Found MS-CHAP attributes. Setting 'Auth-Type = mschap' modcall[authorize]: module "mschap" returns ok for request 1 rlm_realm: No '@' in User-Name = "peppeska", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 1 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 1 users: Matched entry DEFAULT at line 173 users: Matched entry DEFAULT at line 185 modcall[authorize]: module "files" returns ok for request 1 rlm_ldap: - authorize rlm_ldap: performing user authorization for peppeska radius_xlat: '(cn=peppeska)' radius_xlat: 'dc=example' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=example, with filter (cn=peppeska) rlm_ldap: Added password billuzzo in check items rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user peppeska authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 1 modcall: leaving group authorize (returns ok) for request 1 rad_check_password: Found Auth-Type MS-CHAP auth: type "MS-CHAP" Processing the authenticate section of radiusd.conf modcall: entering group MS-CHAP for request 1 rlm_mschap: Told to do MS-CHAPv2 for peppeska with NT-Password rlm_mschap: adding MS-CHAPv2 MPPE keys modcall[authenticate]: module "mschap" returns ok for request 1 modcall: leaving group MS-CHAP (returns ok) for request 1 Login OK: [peppeska/] (from client localhost port 0) Processing the post-auth section of radiusd.conf modcall: entering group post-auth for request 1 modcall[post-auth]: module "ldap" returns noop for request 1 modcall: leaving group post-auth (returns noop) for request 1 Sending Access-Accept of id 40 to 127.0.0.1 port 1028 Framed-IP-Address = 255.255.255.254 Framed-MTU = 576 Service-Type = Framed-User Framed-Protocol = PPP Framed-Compression = Van-Jacobson-TCP-IP MS-CHAP2-Success = 0x05533d4638413436383038343733323138354344333539453836393339463645323432363332373143 MS-MPPE-Recv-Key = 0xeb3b2b7a46dfff70bdee5eb89a755804 MS-MPPE-Send-Key = 0xe0d003c9754115e0063f7f832015f1c6 MS-MPPE-Encryption-Policy = 0x0002 MS-MPPE-Encryption-Types = 0x0004 Finished request 1 Going to the next request - --- Walking the entire request list --- Waking up in 6 seconds... - --- Walking the entire request list --- Cleaning up request 1 ID 40 with timestamp 4601688f Nothing to do. Sleeping until we see a request. Well! it work! or not? because.. this is the pppoe-server log debian:~# plog Mar 21 18:33:54 debian pppd[4306]: sent [LCP TermAck id=0x2] Mar 21 18:33:54 debian pppd[4306]: rcvd [LCP TermAck id=0x2] Mar 21 18:33:54 debian pppd[4306]: Connection terminated. Mar 21 18:33:54 debian pppd[4306]: Waiting for 1 child processes... Mar 21 18:33:54 debian pppd[4306]: script /usr/sbin/pppoe -n -I eth1 - -e 5:32:c8:93:a2:15:29 -T 60 -S '', pid 4307 Mar 21 18:33:55 debian pppd[4306]: Script /usr/sbin/pppoe -n -I eth1 -e 5:32:c8:93:a2:15:29 -T 60 -S '' finished (pid 4307), status = 0x1 Mar 21 18:33:55 debian pppd[4306]: Exit. debian:~# boh!! I realy don't now why... > - -- -- |Giuseppe Moscato aka peppeska - Linux User - no html messages---| |[EMAIL PROTECTED] - http://peppeska.altervista.org--| |Fingerprint = 90DC 05A8 2D65 BC04 BD1B 4C07 C389 434B 3201 319D| -- -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.3 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGAW0PkA6hcnFZI/YRAsv4AJ9wRB4Vl/2clx6Knw8P0zbTrZI1YQCfXmgF skR/gztg4MHbO4l/vq+xiRI= =Gb65 -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE : RE : RE : RE : freeradius, ldap error - HELP ME!
> > > > MMM damn! why freeradius don't want work with me? > > It's not a Freeradius issue, but a ppp/radiusclient issue ;-) > > > > > P.S. > > without the Deafult Auth-Type in the users file...it's the > > same... If I put $INCLUDE instead INCLUDE... work like before... > > Very strange I've got several servers her using radiusclient > with the INCLUDE syntax !! Very very curious, I've checked radiusclient's original code and it seems it is "$INCLUDE" syntax that is the good one. So keep with this one for now. I just have no clue on why on my system only "INCLUDE" works !! Sorry for this wrong information ! Had you got new results ? Regards, Thibault - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE : RE : RE : freeradius, ldap error - HELP ME!
> > >> and in the dictonary file: > >> $INCLUDE /etc/radiusclient/dictionary.microsoft > >> $INCLUDE /etc/radiusclient/dictionary.ascend > >> $INCLUDE /etc/radiusclient/dictionary.compat > >> $INCLUDE /etc/radiusclient/dictionary.merit > >> $INCLUDE /usr/share/freeradius/dictionary > > > > Don't write "$INCLUDE" but "INCLUDE" without the "$": this is the > > syntax for radiusclient. > > Now.. without "$" > the /etc/freeradius/users file now contain: > > DEFAULT Auth-Type = "MS-CHAP" > Fall-Through = yes Not a good idea ;-) > > But this can work only if radiusclient knows the MS-CHAP Radius > > attributes, which is not the case for the momenet (see above the > > INCLUDE issue). > > > > Well.. I try now... and(roll of drumps): > > Listening on authentication *:1812 > Listening on accounting *:1813 > Ready to process requests. > > NOTHING the freeradius don't recive request (uff) That's because the NAS doesn't send packets (or because you have firewall rules droppig packets, but this shouldn't be the case since you got packets in the past). > > and: > > debian:~# plog > Mar 21 16:13:52 debian pppd[3885]: sent [LCP TermAck id=0x2] > Mar 21 16:13:52 debian pppd[3885]: rcvd [LCP TermAck id=0x2] > Mar 21 16:13:52 debian pppd[3885]: Connection terminated. Mar > 21 16:13:52 debian pppd[3885]: Waiting for 1 child processes... > Mar 21 16:13:52 debian pppd[3885]: script /usr/sbin/pppoe -n -I eth1 > - -e 2:32:c8:93:a2:15:29 -T 60 -S '', pid 3886 > Mar 21 16:13:52 debian pppd[3885]: Script /usr/sbin/pppoe -n > -I eth1 -e 2:32:c8:93:a2:15:29 -T 60 -S '' finished (pid > 3886), status = 0x1 Mar 21 16:13:52 debian pppd[3885]: Exit. debian:~# > > MMM damn! why freeradius don't want work with me? It's not a Freeradius issue, but a ppp/radiusclient issue ;-) > > P.S. > without the Deafult Auth-Type in the users file...it's the > same... If I put $INCLUDE instead INCLUDE... work like before... Very strange I've got several servers her using radiusclient with the INCLUDE syntax !! Or may it be an issue with the dictionnary files ? > >> $INCLUDE /usr/share/freeradius/dictionary Avoid this one, it shouldn't be necessary. > >> $INCLUDE /etc/radiusclient/dictionary.microsoft > >> $INCLUDE /etc/radiusclient/dictionary.ascend > >> $INCLUDE /etc/radiusclient/dictionary.compat > >> $INCLUDE /etc/radiusclient/dictionary.merit Are these dictionaries from the radiusclient distro or did you copy the dictionaries from freeradius ? Please use only dictionaries from the radiusclient distributions. (Or try the one I posted if you don't have them in the distro). Let me know, Thibault - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RE : RE : freeradius, ldap error - HELP ME!
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 >> Thibault Le Meur ha scritto: Have you setup ppp to use mschap (require-mschap-v2 option) ? Are you using the radiusclient library ? >> refuse-pap >> refuse-chap >> require-mschap >> require-mschap-v2 >> require-mppe > > > Ok so that your NAS don't have to send User-Password but a MS-CHAP challenge > instead: that's what I thought. > oook >> and in the dictonary file: >> $INCLUDE /etc/radiusclient/dictionary.microsoft >> $INCLUDE /etc/radiusclient/dictionary.ascend >> $INCLUDE /etc/radiusclient/dictionary.compat >> $INCLUDE /etc/radiusclient/dictionary.merit >> $INCLUDE /usr/share/freeradius/dictionary > > Don't write "$INCLUDE" but "INCLUDE" without the "$": this is the syntax for > radiusclient. Now.. without "$" > > >> But... whitout declaretion of Default Auth-Type in the users file: >> >> rlm_ldap: user peppeska authorized to use remote access >> rlm_ldap: ldap_release_conn: Release Id: 0 >> modcall[authorize]: module "ldap" returns ok for request 0 >> modcall: leaving group authorize (returns ok) for request 0 >> auth: No authenticate method (Auth-Type) configuration found for the >> request: Rejecting the user >> auth: Failed to validate the user. >> Login incorrect: [peppeska/] >> (from client localhost port 0) Delaying request 0 for 1 >> seconds Finished request 0 > > Sure, because Auth-Type must be set to MS-CHAP (automatically, don't use > Auth-Type:=): this will be the case if FR receives MS-CHAP challenge. > k the /etc/freeradius/users file now contain: DEFAULT Auth-Type = "MS-CHAP" Fall-Through = yes > But this can work only if radiusclient knows the MS-CHAP Radius attributes, > which is not the case for the momenet (see above the INCLUDE issue). > Well.. I try now... and(roll of drumps): Listening on authentication *:1812 Listening on accounting *:1813 Ready to process requests. NOTHING the freeradius don't recive request (uff) and: debian:~# plog Mar 21 16:13:52 debian pppd[3885]: sent [LCP TermAck id=0x2] Mar 21 16:13:52 debian pppd[3885]: rcvd [LCP TermAck id=0x2] Mar 21 16:13:52 debian pppd[3885]: Connection terminated. Mar 21 16:13:52 debian pppd[3885]: Waiting for 1 child processes... Mar 21 16:13:52 debian pppd[3885]: script /usr/sbin/pppoe -n -I eth1 - -e 2:32:c8:93:a2:15:29 -T 60 -S '', pid 3886 Mar 21 16:13:52 debian pppd[3885]: Script /usr/sbin/pppoe -n -I eth1 -e 2:32:c8:93:a2:15:29 -T 60 -S '' finished (pid 3886), status = 0x1 Mar 21 16:13:52 debian pppd[3885]: Exit. debian:~# MMM damn! why freeradius don't want work with me? P.S. without the Deafult Auth-Type in the users file...it's the same... If I put $INCLUDE instead INCLUDE... work like before... and now? - -- -- |Giuseppe Moscato aka peppeska - Linux User - no html messages---| |[EMAIL PROTECTED] - http://peppeska.altervista.org--| |Fingerprint = 90DC 05A8 2D65 BC04 BD1B 4C07 C389 434B 3201 319D| -- -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.3 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGAU0RkA6hcnFZI/YRAtfvAJ4nxFC9JTgLR1FEJ6E1eyMxP/yXWwCeKDYZ sFZqyoJilQMJxh7wxCHoWyI= =ZmIX -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE : RE : freeradius, ldap error - HELP ME!
Hi, Very strange I didn't get this email ? See my comments below: > > Thibault Le Meur ha scritto: > >> >> But the output now is: > >> >> > >> >> rad_recv: Access-Request packet from host > 127.0.0.1:1030, id=65, > >> >> length=54 > >> >> Service-Type = Framed-User > >> >> Framed-Protocol = PPP > >> >> User-Name = "peppeska" > >> >> NAS-IP-Address = 127.0.0.1 > >> >> NAS-Port = 0 > >> >> > >> >> ^ > >> >> - ->Where is User-Password attribute? > >> >> - > > > > > > A good question indeed, that one should be asked to your NAS ;-) > > > > > > It's up to the NAS to send User-Password: unless it is setup to do > something > > > else (for instance MSCHAP). > > > > > > Have you setup ppp to use mschap (require-mschap-v2 option) ? Are > > > you using the radiusclient library ? > > refuse-pap > refuse-chap > require-mschap > require-mschap-v2 > require-mppe Ok so that your NAS don't have to send User-Password but a MS-CHAP challenge instead: that's what I thought. > > > If yes, could you check that you radiusclient dictionnary file > > > includes Microsoft attributes: > > > * check the "dictionary " line of > > > /etc/radiusclient-ng/radiusclient.conf file (or > > > /etc/radiusclient/radiusclient.conf file) > > > * check that the file contains a reference to > > > other dictionnary files such as: INCLUDE > > > /usr/share/radiusclient-ng/dictionary.merit > > > INCLUDE /usr/share/radiusclient-ng/dictionary.microsoft > > > * check that you have these 2 extra dictionnary files (especially > > > the microsoft one) ==> I've attached the two files > > in my radiusclient.conf there is: > > # dictionary of allowed attributes and values > # just like in the normal RADIUS distributions > dictionary /etc/radiusclient/dictionary > > and in the dictonary file: > $INCLUDE /etc/radiusclient/dictionary.microsoft > $INCLUDE /etc/radiusclient/dictionary.ascend > $INCLUDE /etc/radiusclient/dictionary.compat > $INCLUDE /etc/radiusclient/dictionary.merit > $INCLUDE /usr/share/freeradius/dictionary Don't write "$INCLUDE" but "INCLUDE" without the "$": this is the syntax for radiusclient. > But... whitout declaretion of Default Auth-Type in the users file: > > rlm_ldap: user peppeska authorized to use remote access > rlm_ldap: ldap_release_conn: Release Id: 0 > modcall[authorize]: module "ldap" returns ok for request 0 > modcall: leaving group authorize (returns ok) for request 0 > auth: No authenticate method (Auth-Type) configuration found for the > request: Rejecting the user > auth: Failed to validate the user. > Login incorrect: [peppeska/] > (from client localhost port 0) Delaying request 0 for 1 > seconds Finished request 0 Sure, because Auth-Type must be set to MS-CHAP (automatically, don't use Auth-Type:=): this will be the case if FR receives MS-CHAP challenge. But this can work only if radiusclient knows the MS-CHAP Radius attributes, which is not the case for the momenet (see above the INCLUDE issue). Regards, Thibault - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RE : freeradius, ldap error - HELP ME!
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Thibault Le Meur ha scritto: > >> -Message d'origine- >> De : >> [EMAIL PROTECTED] >> radius.org >> [mailto:[EMAIL PROTECTED] >> sts.freeradius.org] De la part de peppeska >> Envoyé : mercredi 21 mars 2007 13:44 >> À : FreeRadius users mailing list >> Objet : Re: freeradius, ldap error - HELP ME! >> >> >> -BEGIN PGP SIGNED MESSAGE- >> Hash: SHA1 >> >> Michael Mitchell ha scritto: >>> peppeska wrote: >>>>>> rad_recv: Access-Request packet from host 127.0.0.1:1030, id=65, >>>>>> length=54 >>> ^^ >>> >>>>>> ->Where is User-Password attribute? >>>>> Ask the NAS. >>>>> >>>> what? >>>> >>> In this case I have a suspicion the "NAS" could be radclient... >>> >>> How are you sending requests to freeRADIUS? >>> >> Freeradius recive request from pppoe-server, I try to connect >> to pppoe-server from a linux box > > > Is your pppoe-server a linux server ? > Is your pppoe client or pppoe server configured to use ms-chap > authentication ? > > If your pppoe server is a linux box, have you checked that the radiusclient > library contains the microsoft dictionnary as I described in my previous > email ? Thibault Le Meur ha scritto: >> >> But the output now is: >> >> >> >> rad_recv: Access-Request packet from host 127.0.0.1:1030, >> >> id=65, length=54 >> >> Service-Type = Framed-User >> >> Framed-Protocol = PPP >> >> User-Name = "peppeska" >> >> NAS-IP-Address = 127.0.0.1 >> >> NAS-Port = 0 >> >> >> >> ^ >> >> - ->Where is User-Password attribute? >> >> - > > > > A good question indeed, that one should be asked to your NAS ;-) > > > > It's up to the NAS to send User-Password: unless it is setup to do something > > else (for instance MSCHAP). > > > > Have you setup ppp to use mschap (require-mschap-v2 option) ? > > Are you using the radiusclient library ? refuse-pap refuse-chap require-mschap require-mschap-v2 require-mppe > > > > If yes, could you check that you radiusclient dictionnary file includes > > Microsoft attributes: > > * check the "dictionary " line of > > /etc/radiusclient-ng/radiusclient.conf file (or > > /etc/radiusclient/radiusclient.conf file) > > * check that the file contains a reference to other > > dictionnary files such as: > > INCLUDE /usr/share/radiusclient-ng/dictionary.merit > > INCLUDE /usr/share/radiusclient-ng/dictionary.microsoft > > * check that you have these 2 extra dictionnary files (especially the > > microsoft one) > > ==> I've attached the two files in my radiusclient.conf there is: # dictionary of allowed attributes and values # just like in the normal RADIUS distributions dictionary /etc/radiusclient/dictionary and in the dictonary file: $INCLUDE /etc/radiusclient/dictionary.microsoft $INCLUDE /etc/radiusclient/dictionary.ascend $INCLUDE /etc/radiusclient/dictionary.compat $INCLUDE /etc/radiusclient/dictionary.merit $INCLUDE /usr/share/freeradius/dictionary But... whitout declaretion of Default Auth-Type in the users file: rlm_ldap: user peppeska authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 0 modcall: leaving group authorize (returns ok) for request 0 auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. Login incorrect: [peppeska/] (from client localhost port 0) Delaying request 0 for 1 seconds Finished request 0 - -- <<<<-->>>> |Giuseppe Moscato aka peppeska - Linux User - no html messages---| |[EMAIL PROTECTED] - http://peppeska.altervista.org--| |Fingerprint = 90DC 05A8 2D65 BC04 BD1B 4C07 C389 434B 3201 319D| <<<<-->>>> -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.3 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGATavkA6hcnFZI/YRAtO2AKCvLofpLFkKzqJ3pHWgCB5WfU+PZQCdFCKU 5BM2fsuNTyacCHdX5z6hCjA= =y9bX -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE : freeradius, ldap error - HELP ME!
> -Message d'origine- > De : > [EMAIL PROTECTED] > radius.org > [mailto:[EMAIL PROTECTED] > sts.freeradius.org] De la part de peppeska > Envoyé : mercredi 21 mars 2007 13:44 > À : FreeRadius users mailing list > Objet : Re: freeradius, ldap error - HELP ME! > > > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > Michael Mitchell ha scritto: > > peppeska wrote: > >>>> rad_recv: Access-Request packet from host 127.0.0.1:1030, id=65, > >>>> length=54 > > ^^ > > > >>>> ->Where is User-Password attribute? > >>> Ask the NAS. > >>> > >> what? > >> > > > > In this case I have a suspicion the "NAS" could be radclient... > > > > How are you sending requests to freeRADIUS? > > > Freeradius recive request from pppoe-server, I try to connect > to pppoe-server from a linux box Is your pppoe-server a linux server ? Is your pppoe client or pppoe server configured to use ms-chap authentication ? If your pppoe server is a linux box, have you checked that the radiusclient library contains the microsoft dictionnary as I described in my previous email ? Regards, Thibault Le Meur - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius, ldap error - HELP ME!
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Michael Mitchell ha scritto: > peppeska wrote: rad_recv: Access-Request packet from host 127.0.0.1:1030, id=65, length=54 > ^^ > ->Where is User-Password attribute? >>> Ask the NAS. >>> >> what? >> > > In this case I have a suspicion the "NAS" could be radclient... > > How are you sending requests to freeRADIUS? > Freeradius recive request from pppoe-server, I try to connect to pppoe-server from a linux box > - -- -- |Giuseppe Moscato aka peppeska - Linux User - no html messages---| |[EMAIL PROTECTED] - http://peppeska.altervista.org--| |Fingerprint = 90DC 05A8 2D65 BC04 BD1B 4C07 C389 434B 3201 319D| -- -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.3 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGASiekA6hcnFZI/YRAmonAKC876X/8o6xWoOM73C07JyIeem2YwCdE05H XjpsMgzBUspOONgapXx3gXg= =Vy07 -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius, ldap error - HELP ME!
peppeska wrote: >>> >>>rad_recv: Access-Request packet from host 127.0.0.1:1030, id=65, length=54 ^^ >>>->Where is User-Password attribute? >> >> Ask the NAS. >> > > what? > In this case I have a suspicion the "NAS" could be radclient... How are you sending requests to freeRADIUS? regards, Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius, ldap error - HELP ME!
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Alan DeKok ha scritto: > peppeska wrote: >> Now my configuration in user file is: >> >> DEFAULT Auth-Type = "LDAP" >> Fall-Through = 1 > > Can you explain why you're setting Auth-Type? All of the docs say to > NOT DO THAT. ook I comment that but now: rad_recv: Access-Request packet from host 127.0.0.1:1030, id=66, length=54 Service-Type = Framed-User Framed-Protocol = PPP User-Name = "peppeska" NAS-IP-Address = 127.0.0.1 NAS-Port = 0 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "peppeska", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 0 users: Matched entry DEFAULT at line 173 users: Matched entry DEFAULT at line 185 modcall[authorize]: module "files" returns ok for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for peppeska radius_xlat: '(cn=peppeska)' radius_xlat: 'dc=example' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to localhost:389, authentication 0 rlm_ldap: bind as cn=admin,dc=example/root to localhost:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in dc=example, with filter (cn=peppeska) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user peppeska authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 0 modcall: leaving group authorize (returns ok) for request 0 auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user ^^^ auth: Failed to validate the user. Login incorrect: [peppeska/] (from client localhost port 0) Delaying request 0 for 1 seconds Finished request 0 Going to the next request - --- Walking the entire request list --- Waking up in 1 seconds... - --- Walking the entire request list --- Sending Access-Reject of id 66 to 127.0.0.1 port 1030 Cleaning up request 0 ID 66 with timestamp 46010854 Nothing to do. Sleeping until we see a request. > >> But the output now is: >> >> rad_recv: Access-Request packet from host 127.0.0.1:1030, id=65, length=54 > ... >> ^ >> ->Where is User-Password attribute? > > Ask the NAS. > what? > - -- -- |Giuseppe Moscato aka peppeska - Linux User - no html messages---| |[EMAIL PROTECTED] - http://peppeska.altervista.org--| |Fingerprint = 90DC 05A8 2D65 BC04 BD1B 4C07 C389 434B 3201 319D| -- -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.3 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGAQj5kA6hcnFZI/YRAsKoAKCXuWuZ4YpaZpYqs/iyqHfu50j9EwCgrGOh 6G3Y8O4ZhWZESvofWdiOEAY= =UNNH -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE : freeradius, ldap error - HELP ME!
> But the output now is: > > rad_recv: Access-Request packet from host 127.0.0.1:1030, > id=65, length=54 > Service-Type = Framed-User > Framed-Protocol = PPP > User-Name = "peppeska" > NAS-IP-Address = 127.0.0.1 > NAS-Port = 0 > > ^ > - ->Where is User-Password attribute? > - A good question indeed, that one should be asked to your NAS ;-) It's up to the NAS to send User-Password: unless it is setup to do something else (for instance MSCHAP). Have you setup ppp to use mschap (require-mschap-v2 option) ? Are you using the radiusclient library ? If yes, could you check that you radiusclient dictionnary file includes Microsoft attributes: * check the "dictionary " line of /etc/radiusclient-ng/radiusclient.conf file (or /etc/radiusclient/radiusclient.conf file) * check that the file contains a reference to other dictionnary files such as: INCLUDE /usr/share/radiusclient-ng/dictionary.merit INCLUDE /usr/share/radiusclient-ng/dictionary.microsoft * check that you have these 2 extra dictionnary files (especially the microsoft one) ==> I've attached the two files Regards, Thibault > Processing the authorize section of radiusd.conf > modcall: entering group authorize for request 0 > modcall[authorize]: module "preprocess" returns ok for request 0 > modcall[authorize]: module "mschap" returns noop for request 0 > rlm_realm: No '@' in User-Name = "peppeska", looking up realm NULL > rlm_realm: No such realm "NULL" > modcall[authorize]: module "suffix" returns noop for request 0 > rlm_eap: No EAP-Message, not doing EAP > modcall[authorize]: module "eap" returns noop for request 0 > users: Matched entry DEFAULT at line 155 > users: Matched entry DEFAULT at line 173 > users: Matched entry DEFAULT at line 185 > modcall[authorize]: module "files" returns ok for request 0 > rlm_ldap: - authorize > rlm_ldap: performing user authorization for peppeska > radius_xlat: '(cn=peppeska)' > radius_xlat: 'dc=example' > rlm_ldap: ldap_get_conn: Checking Id: 0 > rlm_ldap: ldap_get_conn: Got Id: 0 > rlm_ldap: attempting LDAP reconnection > rlm_ldap: (re)connect to localhost:389, authentication 0 > rlm_ldap: bind as cn=admin,dc=example/root to localhost:389 > rlm_ldap: waiting for bind result ... > rlm_ldap: Bind was successful > rlm_ldap: performing search in dc=example, with filter (cn=peppeska) > rlm_ldap: looking for check items in directory... > rlm_ldap: looking for reply items in directory... > rlm_ldap: user peppeska authorized to use remote access > rlm_ldap: ldap_release_conn: Release Id: 0 > modcall[authorize]: module "ldap" returns ok for request 0 > modcall: leaving group authorize (returns ok) for request 0 > rad_check_password: Found Auth-Type LDAP > auth: type "LDAP" > Processing the authenticate section of radiusd.conf > modcall: entering group LDAP for request 0 > rlm_ldap: - authenticate > rlm_ldap: Attribute "User-Password" is required for > authentication. > > - -> m depend to ppp version? it's possible? > - > -- > modcall[authenticate]: module "ldap" returns invalid for request 0 > modcall: leaving group LDAP (returns invalid) for request 0 > auth: Failed to validate the user. > Login incorrect: [peppeska/] > (from client localhost port 0) Delaying request 0 for 1 > seconds Finished request 0 Going to the next request > - --- Walking the entire request list --- > Waking up in 1 seconds... > - --- Walking the entire request list --- > Sending Access-Reject of id 65 to 127.0.0.1 port 1030 > Waking up in 2 seconds... > - --- Walking the entire request list --- > Cleaning up request 0 ID 65 with timestamp 4600fb5f > Nothing to do. Sleeping until we see a request. > > > > ok.. I my ldap.attrmap contain: > > checkItem User-Password lmPassword > checkItem LM-Password lmPassword > checkItem NT-Password ntPassword > > And the ldap section in radiusd.conf contain: > > password_attribute = User-Password > > > What's the problem? > > > - -- > -- > |Giuseppe Moscato aka peppeska - Linux User - no html messages---| > > |[EMAIL PROTECTED] - http://peppeska.altervista.org--| > > |Fingerprint = 90DC 05A8 2D65 BC04 BD1B 4C07 C389 434B 3201 319D| > -- > -BEGIN PGP SIGNATURE- > Version: GnuPG v1.4.3 (GNU/Linux) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > > iD8DBQFGAP+4kA6hcnFZI/YRAgF+AKC7+GLE/xihS1DkdHcHk9pvTINsOgCgm4s8 > ejjPb/Qg2uW/D2ddqSWj0Ao= > =cvka > -END PGP SIGNATURE- > - > List info/subscribe/unsubscribe? See > http
Re: freeradius, ldap error - HELP ME!
peppeska wrote: > Now my configuration in user file is: > > DEFAULT Auth-Type = "LDAP" > Fall-Through = 1 Can you explain why you're setting Auth-Type? All of the docs say to NOT DO THAT. > But the output now is: > > rad_recv: Access-Request packet from host 127.0.0.1:1030, id=65, length=54 ... > ^ > ->Where is User-Password attribute? Ask the NAS. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius, ldap error - HELP ME!
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Alan DeKok ha scritto: > peppeska wrote: > ... >> rad_recv: Access-Request packet from host 127.0.0.1:1027, id=118, length=54 >> Service-Type = Framed-User >> Framed-Protocol = PPP >> User-Name = "peppeska" >> NAS-IP-Address = 127.0.0.1 >> NAS-Port = 0 >> rad_check_password: Found Auth-Type MS-CHAP >> auth: type "MS-CHAP" > > Where did the "Auth-Type = MS-CHAP" come from? It's not in the > default configuration. ok I make some change in my configuration file.. Now my configuration in user file is: DEFAULT Auth-Type = "LDAP" Fall-Through = 1 But the output now is: rad_recv: Access-Request packet from host 127.0.0.1:1030, id=65, length=54 Service-Type = Framed-User Framed-Protocol = PPP User-Name = "peppeska" NAS-IP-Address = 127.0.0.1 NAS-Port = 0 ^ - ->Where is User-Password attribute? - Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "peppeska", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 0 users: Matched entry DEFAULT at line 155 users: Matched entry DEFAULT at line 173 users: Matched entry DEFAULT at line 185 modcall[authorize]: module "files" returns ok for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for peppeska radius_xlat: '(cn=peppeska)' radius_xlat: 'dc=example' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to localhost:389, authentication 0 rlm_ldap: bind as cn=admin,dc=example/root to localhost:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in dc=example, with filter (cn=peppeska) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user peppeska authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 0 modcall: leaving group authorize (returns ok) for request 0 rad_check_password: Found Auth-Type LDAP auth: type "LDAP" Processing the authenticate section of radiusd.conf modcall: entering group LDAP for request 0 rlm_ldap: - authenticate rlm_ldap: Attribute "User-Password" is required for authentication. - -> m depend to ppp version? it's possible? - -- modcall[authenticate]: module "ldap" returns invalid for request 0 modcall: leaving group LDAP (returns invalid) for request 0 auth: Failed to validate the user. Login incorrect: [peppeska/] (from client localhost port 0) Delaying request 0 for 1 seconds Finished request 0 Going to the next request - --- Walking the entire request list --- Waking up in 1 seconds... - --- Walking the entire request list --- Sending Access-Reject of id 65 to 127.0.0.1 port 1030 Waking up in 2 seconds... - --- Walking the entire request list --- Cleaning up request 0 ID 65 with timestamp 4600fb5f Nothing to do. Sleeping until we see a request. ok.. I my ldap.attrmap contain: checkItem User-Password lmPassword checkItem LM-Password lmPassword checkItem NT-Password ntPassword And the ldap section in radiusd.conf contain: password_attribute = User-Password What's the problem? - -- -- |Giuseppe Moscato aka peppeska - Linux User - no html messages---| |[EMAIL PROTECTED] - http://peppeska.altervista.org--| |Fingerprint = 90DC 05A8 2D65 BC04 BD1B 4C07 C389 434B 3201 319D| -- -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.3 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGAP+4kA6hcnFZI/YRAgF+AKC7+GLE/xihS1DkdHcHk9pvTINsOgCgm4s8 ejjPb/Qg2uW/D2ddqSWj0Ao= =cvka -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius, ldap error - HELP ME!
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Alan DeKok ha scritto: > peppeska wrote: > ... >> rad_recv: Access-Request packet from host 127.0.0.1:1027, id=118, length=54 >> Service-Type = Framed-User >> Framed-Protocol = PPP >> User-Name = "peppeska" >> NAS-IP-Address = 127.0.0.1 >> NAS-Port = 0 >> rad_check_password: Found Auth-Type MS-CHAP >> auth: type "MS-CHAP" > > Where did the "Auth-Type = MS-CHAP" come from? It's not in the > default configuration. ok I make some change in my configuration file.. Now my configuration in user file is: DEFAULT Auth-Type = "LDAP" Fall-Through = 1 But the output now is: rad_recv: Access-Request packet from host 127.0.0.1:1030, id=65, length=54 Service-Type = Framed-User Framed-Protocol = PPP User-Name = "peppeska" NAS-IP-Address = 127.0.0.1 NAS-Port = 0 ^ - ->Where is User-Password attribute? - Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "peppeska", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 0 users: Matched entry DEFAULT at line 155 users: Matched entry DEFAULT at line 173 users: Matched entry DEFAULT at line 185 modcall[authorize]: module "files" returns ok for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for peppeska radius_xlat: '(cn=peppeska)' radius_xlat: 'dc=example' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to localhost:389, authentication 0 rlm_ldap: bind as cn=admin,dc=example/root to localhost:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in dc=example, with filter (cn=peppeska) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user peppeska authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 0 modcall: leaving group authorize (returns ok) for request 0 rad_check_password: Found Auth-Type LDAP auth: type "LDAP" Processing the authenticate section of radiusd.conf modcall: entering group LDAP for request 0 rlm_ldap: - authenticate rlm_ldap: Attribute "User-Password" is required for authentication. - -> m depend to ppp version? it's possible? - -- modcall[authenticate]: module "ldap" returns invalid for request 0 modcall: leaving group LDAP (returns invalid) for request 0 auth: Failed to validate the user. Login incorrect: [peppeska/] (from client localhost port 0) Delaying request 0 for 1 seconds Finished request 0 Going to the next request - --- Walking the entire request list --- Waking up in 1 seconds... - --- Walking the entire request list --- Sending Access-Reject of id 65 to 127.0.0.1 port 1030 Waking up in 2 seconds... - --- Walking the entire request list --- Cleaning up request 0 ID 65 with timestamp 4600fb5f Nothing to do. Sleeping until we see a request. ok.. I my ldap.attrmap contain: checkItem User-Password lmPassword checkItem LM-Password lmPassword checkItem NT-Password ntPassword And the ldap section in radiusd.conf contain: password_attribute = User-Password What's the problem? - -- -- |Giuseppe Moscato aka peppeska - Linux User - no html messages---| |[EMAIL PROTECTED] - http://peppeska.altervista.org--| |Fingerprint = 90DC 05A8 2D65 BC04 BD1B 4C07 C389 434B 3201 319D| -- -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.3 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGAP5skA6hcnFZI/YRAmuUAJ9Ql6J+TImJf7/mmPyJ0z54pSfiBwCgrMkQ rk1f2Cwt+EFPc6rqBLjrGJk= =ocug -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius, ldap error - HELP ME!
peppeska wrote: ... > rad_recv: Access-Request packet from host 127.0.0.1:1027, id=118, length=54 > Service-Type = Framed-User > Framed-Protocol = PPP > User-Name = "peppeska" > NAS-IP-Address = 127.0.0.1 > NAS-Port = 0 > rad_check_password: Found Auth-Type MS-CHAP > auth: type "MS-CHAP" Where did the "Auth-Type = MS-CHAP" come from? It's not in the default configuration. i.e. you edited the server configuration to break it. Don't do that. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius, ldap error - HELP ME!
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Thibault Le Meur ha scritto: >> >> >> >> Comment this line in your ldap section of radiusd.conf: >> >> # access_attr = "dialupAccess" > > > > And comment this one too, like this : > > # access_attr_used_for_allow = yes I do it! and now there is the following error: rad_recv: Access-Request packet from host 127.0.0.1:1027, id=118, length=54 Service-Type = Framed-User Framed-Protocol = PPP User-Name = "peppeska" NAS-IP-Address = 127.0.0.1 NAS-Port = 0 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "peppeska", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 0 users: Matched entry DEFAULT at line 155 users: Matched entry DEFAULT at line 173 users: Matched entry DEFAULT at line 185 modcall[authorize]: module "files" returns ok for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for peppeska radius_xlat: '(cn=peppeska)' radius_xlat: 'dc=example' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to localhost:389, authentication 0 rlm_ldap: bind as cn=admin,dc=example/root to localhost:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in dc=example, with filter (cn=peppeska) rlm_ldap: Added password billuzzo in check items rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user peppeska authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 0 modcall: leaving group authorize (returns ok) for request 0 rad_check_password: Found Auth-Type MS-CHAP auth: type "MS-CHAP" Processing the authenticate section of radiusd.conf modcall: entering group MS-CHAP for request 0 rlm_mschap: No MS-CHAP-Challenge in the request modcall[authenticate]: module "mschap" returns reject for request 0 modcall: leaving group MS-CHAP (returns reject) for request 0 auth: Failed to validate the user. Login incorrect: [peppeska/] (from client localhost port 0) Delaying request 0 for 1 seconds Finished request 0 Going to the next request - --- Walking the entire request list --- Waking up in 1 seconds... - --- Walking the entire request list --- Sending Access-Reject of id 118 to 127.0.0.1 port 1027 Waking up in 3 seconds... - --- Walking the entire request list --- Cleaning up request 0 ID 118 with timestamp 4600073d Nothing to do. Sleeping until we see a request. rad_recv: Access-Request packet from host 127.0.0.1:1027, id=119, length=54 Service-Type = Framed-User Framed-Protocol = PPP User-Name = "peppeska" NAS-IP-Address = 127.0.0.1 NAS-Port = 0 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module "preprocess" returns ok for request 1 modcall[authorize]: module "mschap" returns noop for request 1 rlm_realm: No '@' in User-Name = "peppeska", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 1 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 1 users: Matched entry DEFAULT at line 155 users: Matched entry DEFAULT at line 173 users: Matched entry DEFAULT at line 185 modcall[authorize]: module "files" returns ok for request 1 rlm_ldap: - authorize rlm_ldap: performing user authorization for peppeska radius_xlat: '(cn=peppeska)' radius_xlat: 'dc=example' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=example, with filter (cn=peppeska) rlm_ldap: Added password billuzzo in check items rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user peppeska authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 1 modcall: leaving group authorize (returns ok) for request 1 rad_check_password: Found Auth-Type MS-CHAP auth: type "MS-CHAP" Processing the authenticate section of radiusd.conf modcall: entering group MS-CHAP for request 1 rlm_mschap: No MS-CHAP-Challenge in the request modcall[authenticate]: module "mschap" returns reject for request 1 modcall: leaving group MS-CHAP (returns reject) for request 1 auth: Failed to validate the user. Login incorrect: [peppeska/] (from client localhost port 0) Del
RE : RE : freeradius, ldap error - HELP ME!
> > rlm_ldap: ldap_get_conn: Checking Id: 0 > > rlm_ldap: ldap_get_conn: Got Id: 0 > > rlm_ldap: attempting LDAP reconnection > > rlm_ldap: (re)connect to localhost:389, authentication 0 > > rlm_ldap: bind as cn=admin,dc=example/root to localhost:389 > > rlm_ldap: waiting for bind result ... > > rlm_ldap: Bind was successful > > rlm_ldap: performing search in dc=example, with filter (cn=peppeska) > > rlm_ldap: no dialupAccess attribute - access denied by default > > > > Comment this line in your ldap section of radiusd.conf: > # access_attr = "dialupAccess" And comment this one too, like this : # access_attr_used_for_allow = yes > > HTH, > Thibault > > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE : freeradius, ldap error - HELP ME!
> -Message d'origine- > De : > [EMAIL PROTECTED] > radius.org > [mailto:[EMAIL PROTECTED] > sts.freeradius.org] De la part de peppeska > Envoyé : mardi 20 mars 2007 10:34 > À : FreeRadius users mailing list > Objet : freeradius, ldap error - HELP ME! > > > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > Please freeradius User... HELP ME! > > So, I use a pppoe-freeradius-ldap system for access and > autenticate user.. but some go wrong.. and when I try to > connect me appare this error... what's wrong in my configuration? > > look this! this is the freeradius output > rlm_ldap: ldap_get_conn: Checking Id: 0 > rlm_ldap: ldap_get_conn: Got Id: 0 > rlm_ldap: attempting LDAP reconnection > rlm_ldap: (re)connect to localhost:389, authentication 0 > rlm_ldap: bind as cn=admin,dc=example/root to localhost:389 > rlm_ldap: waiting for bind result ... > rlm_ldap: Bind was successful > rlm_ldap: performing search in dc=example, with filter (cn=peppeska) > rlm_ldap: no dialupAccess attribute - access denied by default Comment this line in your ldap section of radiusd.conf: # access_attr = "dialupAccess" HTH, Thibault - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius, ldap error - HELP ME!
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Please freeradius User... HELP ME! So, I use a pppoe-freeradius-ldap system for access and autenticate user.. but some go wrong.. and when I try to connect me appare this error... what's wrong in my configuration? look this! this is the freeradius output Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1:1027, id=159, length=54 Service-Type = Framed-User Framed-Protocol = PPP User-Name = "peppeska" NAS-IP-Address = 127.0.0.1 NAS-Port = 0 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "peppeska", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 0 users: Matched entry DEFAULT at line 155 users: Matched entry DEFAULT at line 173 users: Matched entry DEFAULT at line 185 modcall[authorize]: module "files" returns ok for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for peppeska radius_xlat: '(cn=peppeska)' radius_xlat: 'dc=example' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to localhost:389, authentication 0 rlm_ldap: bind as cn=admin,dc=example/root to localhost:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in dc=example, with filter (cn=peppeska) rlm_ldap: no dialupAccess attribute - access denied by default rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns userlock for request 0 modcall: leaving group authorize (returns userlock) for request 0 Invalid user (rlm_ldap: Access Attribute denies access): [peppeska/] (from client localhost port 0) Delaying request 0 for 1 seconds Finished request 0 Going to the next request - --- Walking the entire request list --- Waking up in 1 seconds... - --- Walking the entire request list --- Sending Access-Reject of id 159 to 127.0.0.1 port 1027 Waking up in 3 seconds... - --- Walking the entire request list --- Cleaning up request 0 ID 159 with timestamp 45ffa841 Nothing to do. Sleeping until we see a request. But the Ldap database work good! the User peppeska have the password and the direct access to ldap database work! what I must do? - -- -- |Giuseppe Moscato aka peppeska - Linux User - no html messages---| |[EMAIL PROTECTED] - http://peppeska.altervista.org--| |Fingerprint = 90DC 05A8 2D65 BC04 BD1B 4C07 C389 434B 3201 319D| -- -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.3 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFF/6qQkA6hcnFZI/YRAlRfAKDVYKu8MkY8QSz80gnaJTkGgtnttACbBaPU wPIiKiVRmzm2c91/6a6jSjA= =ZqNs -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
