Re: upgrade broke the users file - being read only partially - FR1.1.7 to FR2.0.2
Hi, > > Yes I did make that change. What in the output > suggested I didn't? Auth-Type already set > I don't know what the deal is, it seems odd that it > will read the file and proxy my requests but failed to > authenticate a locally defined user in the file. its matching on line * (iirc) the users file. and failing because of that alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: upgrade broke the users file - being read only partially - FR1.1.7 to FR2.0.2
Yes I did make that change. What in the output suggested I didn't? I don't know what the deal is, it seems odd that it will read the file and proxy my requests but failed to authenticate a locally defined user in the file. anyways, I went back to 1.1.7 which seems to work fine, I usually stay away from blazing edge versions anyways but I really liked the virtual server functionality and wanted to try 2 because I have like 5 instances of radius running all on different ports and it'd be nice to do it all in one process. oh well. --- [EMAIL PROTECTED] wrote: > Hi, > > > > No love man. > > > > Changed the huntgroup defination and also changed > the > > sites-enabled/SERVER-1760 file to read. > > did you edit the users file according to the > instructions too? > ..the debug logs suggest otherwise > > alan > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: upgrade broke the users file - being read only partially - FR1.1.7 to FR2.0.2
Hi, > > No love man. > > Changed the huntgroup defination and also changed the > sites-enabled/SERVER-1760 file to read. did you edit the users file according to the instructions too? ..the debug logs suggest otherwise alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: upgrade broke the users file - being read only partially - FR1.1.7 to FR2.0.2
Agent Smith wrote:
No love man.
Changed the huntgroup defination and also changed the
sites-enabled/SERVER-1760 file to read.
authorize {
files
#auth_log
pap
}
authenticate {
files # I also tried it without files here.
pap
}
You've massively broke the default config; this is completely wrong.
"files" doesn't work or do anything in the "authenticate" section, and
"pap" should be inside an "Auth-Type PAP" stanza.
I suggest you go back to the default config and make small changes
towards your goal, one at time and testing each change.
Debug output
-
Ready to process requests.
rad_recv: Access-Request packet from host 10.9.3.29
port 32889, id=174, length=61
User-Name = "user1"
User-Password = "abc123"
NAS-IP-Address = 255.255.255.255
NAS-Port = 171
server SERVER-1760 {
+- entering group authorize
expand: %{User-Name} -> user1
users: Matched entry DEFAULT at line 8
The entry on line 8 of the users file rejected the user.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: upgrade broke the users file - being read only partially - FR1.1.7 to FR2.0.2
No love man.
Changed the huntgroup defination and also changed the
sites-enabled/SERVER-1760 file to read.
authorize {
files
#auth_log
pap
}
authenticate {
files # I also tried it without files here.
pap
}
Debug output
-
Ready to process requests.
rad_recv: Access-Request packet from host 10.9.3.29
port 32889, id=174, length=61
User-Name = "user1"
User-Password = "abc123"
NAS-IP-Address = 255.255.255.255
NAS-Port = 171
server SERVER-1760 {
+- entering group authorize
expand: %{User-Name} -> user1
users: Matched entry DEFAULT at line 8
++[files] returns ok
rlm_pap: Found existing Auth-Type, not changing it.
++[pap] returns noop
rad_check_password: Found Auth-Type Reject
rad_check_password: Auth-Type = Reject, rejecting
user
auth: Failed to validate the user.
Login incorrect: [user1/abc123] (from client my-linux
port 171)
} # server SERVER-1760
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 174 to 10.9.3.29 port
32889
Waking up in 4.9 seconds.
Cleaning up request 0 ID 174 with timestamp +8
Ready to process requests.
--- Alan DeKok <[EMAIL PROTECTED]> wrote:
> Agent Smith wrote:
> > user1 Auth-Type = Local, Cleartext-Password =
> > "abc123", Huntgroup-Name == "fetch"
>
> This should be:
>
> user1 Cleartext-Password := "abc123", Huntgroup-Name
> ...
>
> i.e. Don't set Auth-Type.
>
> This will work in 1.1.7, too.
>
>
> >
>
=
> > huntgroups file
> >
> > fetchClient-IP-Address == "10.9.3.29"
>
> Hmmm... the code supporting Client-IP-Address was
> changed a bit. I
> think that may need to be reverted to the way it
> worked in 1.1.7.
>
> If you change this to Packet-Src-IP-Address ==
> 10.9.3.29, it should work.
>
> > authenticate {
> > files
>
> I'm not sure why you have that there.
>
> You SHOULD have at least the "pap" module here,
> and as the last module
> in the "authorize" section.
>
> Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
Looking for last minute shopping deals?
Find them fast with Yahoo! Search.
http://tools.search.yahoo.com/newsearch/category.php?category=shopping
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: upgrade broke the users file - being read only partially - FR1.1.7 to FR2.0.2
Agent Smith wrote:
> user1 Auth-Type = Local, Cleartext-Password =
> "abc123", Huntgroup-Name == "fetch"
This should be:
user1 Cleartext-Password := "abc123", Huntgroup-Name ...
i.e. Don't set Auth-Type.
This will work in 1.1.7, too.
> =
> huntgroups file
>
> fetchClient-IP-Address == "10.9.3.29"
Hmmm... the code supporting Client-IP-Address was changed a bit. I
think that may need to be reverted to the way it worked in 1.1.7.
If you change this to Packet-Src-IP-Address == 10.9.3.29, it should work.
> authenticate {
> files
I'm not sure why you have that there.
You SHOULD have at least the "pap" module here, and as the last module
in the "authorize" section.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
upgrade broke the users file - being read only partially - FR1.1.7 to FR2.0.2
Note: forwarded message attached.
Never miss a thing. Make Yahoo your home page.
http://www.yahoo.com/r/hs--- Begin Message ---
upgraded to FR2.0.2 to find out that users file is
being read but only partially. Went back to 1.1.7 and
works fine.
Here is the radiusd -fX output, the users/huntgroups
file and radiusd.conf from fr2.0.2.
user2 is proxied to another instant and works fine
when user1 is local user and it never works.
=
rad_recv: Access-Request packet from host 10.9.3.29
port 32887, id=163, length=61
User-Name = "user1"
User-Password = "abc123"
NAS-IP-Address = 255.255.255.255
NAS-Port = 161
server SERVER-1760 {
+- entering group authorize
expand: %{Client-IP-Address} -> 10.9.3.29
++[preprocess] returns ok
users: Matched entry DEFAULT at line 8
++[files] returns ok
rad_check_password: Found Auth-Type Reject
rad_check_password: Auth-Type = Reject, rejecting
user
auth: Failed to validate the user.
Login incorrect: [user1/abc123] (from client
user2-linux port 161)
} # server SERVER-1760
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 163 to 10.9.3.29 port
32887
Waking up in 4.9 seconds.
Cleaning up request 0 ID 163 with timestamp +10
Ready to process requests.
rad_recv: Access-Request packet from host 10.9.3.29
port 32887, id=167, length=58
User-Name = "user2"
User-Password = "password2"
NAS-IP-Address = 255.255.255.255
NAS-Port = 161
server SERVER-1760 {
+- entering group authorize
expand: %{Client-IP-Address} -> 10.9.3.29
++[preprocess] returns ok
users: Matched entry user2 at line 3
++[files] returns ok
} # server SERVER-1760
Sending Access-Request of id 104 to 192.168.60.3 port
1760
User-Name = "user2"
User-Password = "password2"
NAS-IP-Address = 255.255.255.255
NAS-Port = 161
Proxy-State = 0x313637
Proxying request 1 to home server 192.168.60.3 port
1760
Sending Access-Request of id 104 to 192.168.60.3 port
1760
User-Name = "user2"
User-Password = "password2"
NAS-IP-Address = 255.255.255.255
NAS-Port = 161
Proxy-State = 0x313637
Going to the next request
Waking up in 0.9 seconds.
Waking up in 12.9 seconds.
rad_recv: Access-Accept packet from host 192.168.60.3
port 1760, id=104, length=82
Class =
0x53425232434ced8be19ce897d2f8bdc01180240180038198ce8002800781b59ccc97b385d812800e81ed8be19ce897d2f8bdc0808083b8
Proxy-State = 0x313637
server SERVER-1760 {
+- entering group authorize
expand: %{Client-IP-Address} -> 10.9.3.29
++[preprocess] returns ok
users: Matched entry user2 at line 3
++[files] returns ok
rad_check_password: Found Auth-Type
rad_check_password: Auth-Type = Accept, accepting
the user
Login OK: [user2/password2] (from client user2-linux
port 161)
} # server SERVER-1760
Sending Access-Accept of id 167 to 10.9.3.29 port
32887
Class =
0x53425232434ced8be19ce897d2f8bdc01180240180038198ce8002800781b59ccc97b385d812800e81ed8be19ce897d2f8bdc0808083b8
Finished request 1.
Going to the next request
Waking up in 0.9 seconds.
Waking up in 3.9 seconds.
=
users file
--
user1 Auth-Type = Local, Cleartext-Password =
"abc123", Huntgroup-Name == "fetch"
user2 Proxy-To-Realm := "rsa"
DEFAULT Auth-Type := Reject
=
huntgroups file
fetchClient-IP-Address == "10.9.3.29"
==
sites-enabled/server-1760
-
server SERVER-1760 {
listen {
ipaddr = *
port = 1760
type = auth
}
listen {
ipaddr = *
port = 1761
type = acct
}
client 10.9.3.29 {
secret = abc123
shortname = my-linux-test
}
authorize {
preprocess
files
#auth_log
}
authenticate {
files
#unix
}
preacct {
}
accounting {
#detail
#unix
radutmp
}
session {
radutmp
}
post-auth {
#reply_log
}
pre-proxy {
}
post-proxy {
}
}
===
radiusd.conf
prefix = /usr/local/etc/RADIUS/CLOSET-SW-RSA-PAP-1760
exec_prefix = /usr/local
sysconfdir = ${prefix}/etc
localstatedir = ${prefix}/var
sbindir = ${exec_prefix}/sbin
logdir = ${localstatedir}/log/radius
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/radiusd
db_dir = $(raddbdir)
libdir = ${exec_prefix}/lib
pidfile = ${run_dir}/radiusd.pid
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
hostname_lookups = no
allow_core_dumps = no
regular_expre
