All,
I'm having a weird problem with my freeradius 0.8.1 (i686-pc-linux-gnu,
built Dec. 19th, 2002). Installed OS is Red Hat Linux 7.3 fully updated,
with MySQL3.23.49. Below the full details from our test-setup, and logfile
excerpts:
Currently we have a Steel-Belted Radius server working on our link, which
works fine. There is a shared secret between this Radius server and the
NAS, and we have a demo user account and password set up. It uses standard
Radius, with PAP.
I installed Freeradius on my laptop, configured the respective clients.conf
and users files for authorisation / authentication, and have been testing
it with both radtest / radclient and NTRadPing v.1.2 from MasterSoft, which
seemed to work fine - with radiusd -X in debugging mode.
The following happens: I configured my FreeRadius laptop with the same
IP-address, subnetmask and default gateway as the Steel-Belted Radius, and
fired up first NTRadPing, from MasterSoft. I do an authentication-request,
and the following is being logged serverside:
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /usr/local/etc/raddb/proxy.conf
Config: including file: /usr/local/etc/raddb/clients.conf
Config: including file: /usr/local/etc/raddb/snmp.conf
Config: including file: /usr/local/etc/raddb/sql.conf
main: prefix = "/usr/local"
main: localstatedir = "/usr/local/var"
main: logdir = "/usr/local/var/log/radius"
main: libdir = "/usr/local/lib"
main: radacctdir = "/usr/local/var/log/radius/radacct"
main: hostname_lookups = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = yes
main: log_file = "/usr/local/var/log/radius/radius.log"
main: log_auth = yes
main: log_auth_badpass = yes
main: log_auth_goodpass = yes
main: pidfile = "/usr/local/var/run/radiusd/radiusd.pid"
main: user = "radius"
main: group = "radius"
main: usercollide = no
main: lower_user = "no"
main: lower_pass = "no"
main: nospace_user = "no"
main: nospace_pass = "no"
main: checkrad = "/usr/local/sbin/checkrad"
main: proxy_requests = no
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: servers_per_realm = 15
security: max_attributes = 200
security: reject_delay = 1
security: status_server = yes
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /usr/local/lib
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
pap: encryption_scheme = "crypt"
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
mschap: ignore_password = no
mschap: use_mppe = yes
mschap: require_encryption = no
mschap: require_strong = no
mschap: passwd = "(null)"
mschap: authtype = "MS-CHAP"
Module: Instantiated mschap (mschap)
Module: Loaded System
unix: cache = no
unix: passwd = "(null)"
unix: shadow = "(null)"
unix: group = "(null)"
unix: radwtmp = "/usr/local/var/log/radius/radwtmp"
unix: usegroup = no
unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded preprocess
preprocess: huntgroups = "/usr/local/etc/raddb/huntgroups"
preprocess: hints = "/usr/local/etc/raddb/hints"
preprocess: with_ascend_hack = no
preprocess: ascend_channels_per_line = 23
preprocess: with_ntdomain_hack = no
preprocess: with_specialix_jetstream_hack = no
preprocess: with_cisco_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded realm
realm: format = "suffix"
realm: delimiter = "@"
Module: Instantiated realm (suffix)
Module: Loaded files
files: usersfile = "/usr/local/etc/raddb/users"
files: acctusersfile = "/usr/local/etc/raddb/acct_users"
files: preproxy_usersfile = "/usr/local/etc/raddb/preproxy_users"
files: compat = "no"
Module: Instantiated files (files)
Module: Loaded Acct-Unique-Session-Id
acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port-Id"
Module: Instantiated acct_unique (acct_unique)
Module: Loaded detail
detail: detailfile =
"/usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
detail: detailperm = 384
detail: dirperm = 493
detail: locking = no
Module: Instantiated detail (detail)
Module: Loaded radutmp
radutmp: filename = "/usr/local/var/log/radius/radutmp"
radutmp: username = "%{User-Name}"
radutmp: perm = 384
radutmp: callerid = yes
Module: Instantiated radutmp (radutmp)
main: smux_password = ""
main: snmp_write_access = no
SMUX connect try 1
Can't connect to SNMP agent with SMUX: Connection refused
Listening on IP address *, ports 1812/udp and 1813/udp.
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.1.2:1275, id=0, length=44
User-Name = "job"
CHAP-Password = 0xd6cf27392bdd84d4f30074397a57dc4a73
modcall: entering group authorize
modcall[authorize]: module "preprocess" returns ok
rlm_chap: Adding Auth-Type = CHAP
modcall[authorize]: module "chap" returns ok
modcall[authorize]: module "mschap" returns notfound
rlm_realm: No '@' in User-Name = "job", looking up realm NULL
rlm_realm: No such realm NULL
modcall[authorize]: module "suffix" returns noop
users: Matched job at 80
modcall[authorize]: module "files" returns ok
modcall: group authorize returns ok
rad_check_password: Found Auth-Type Local
auth: type Local
auth: user supplied CHAP-Password matches local User-Password
Login OK: [job/<CHAP-Password>] (from client private-network-1 port 0)
Sending Access-Accept of id 0 to 192.168.1.2:1275
Service-Type = Login-User
Framed-Protocol = PPP
Framed-IP-Address = 10.10.0.4
Framed-IP-Netmask = 255.255.255.255
Framed-Routing = Broadcast-Listen
Framed-Filter-Id = "std.ppp"
Framed-MTU = 1500
Framed-Compression = Van-Jacobson-TCP-IP
Finished request 0
Going to the next request
SMUX connect try 2
Can't connect to SNMP agent with SMUX: Connection refused
--- Walking the entire request list ---
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 192.168.1.2:1276, id=1, length=44
User-Name = "job"
CHAP-Password = 0x32fccd772a81c678a506d4c05f2c0b4c1b
modcall: entering group authorize
modcall[authorize]: module "preprocess" returns ok
rlm_chap: Adding Auth-Type = CHAP
modcall[authorize]: module "chap" returns ok
modcall[authorize]: module "mschap" returns notfound
rlm_realm: No '@' in User-Name = "job", looking up realm NULL
rlm_realm: No such realm NULL
modcall[authorize]: module "suffix" returns noop
users: Matched job at 80
modcall[authorize]: module "files" returns ok
modcall: group authorize returns ok
rad_check_password: Found Auth-Type Local
auth: type Local
auth: user supplied CHAP-Password matches local User-Password
Login OK: [job/<CHAP-Password>] (from client private-network-1 port 0)
Sending Access-Accept of id 1 to 192.168.1.2:1276
Service-Type = Login-User
Framed-Protocol = PPP
Framed-IP-Address = 10.10.0.4
Framed-IP-Netmask = 255.255.255.255
Framed-Routing = Broadcast-Listen
Framed-Filter-Id = "std.ppp"
Framed-MTU = 1500
Framed-Compression = Van-Jacobson-TCP-IP
Finished request 1
Going to the next request
SMUX connect try 3
Can't connect to SNMP agent with SMUX: Connection refused
--- Walking the entire request list ---
Waking up in 3 seconds...
rad_recv: Access-Request packet from host 192.168.1.2:1277, id=2, length=44
User-Name = "job"
CHAP-Password = 0xebe62df2a3a57a21ca72e77068ebccb35d
modcall: entering group authorize
modcall[authorize]: module "preprocess" returns ok
rlm_chap: Adding Auth-Type = CHAP
modcall[authorize]: module "chap" returns ok
modcall[authorize]: module "mschap" returns notfound
rlm_realm: No '@' in User-Name = "job", looking up realm NULL
rlm_realm: No such realm NULL
modcall[authorize]: module "suffix" returns noop
users: Matched job at 80
modcall[authorize]: module "files" returns ok
modcall: group authorize returns ok
rad_check_password: Found Auth-Type Local
auth: type Local
auth: user supplied CHAP-Password matches local User-Password
Login OK: [job/<CHAP-Password>] (from client private-network-1 port 0)
Sending Access-Accept of id 2 to 192.168.1.2:1277
Service-Type = Login-User
Framed-Protocol = PPP
Framed-IP-Address = 10.10.0.4
Framed-IP-Netmask = 255.255.255.255
Framed-Routing = Broadcast-Listen
Framed-Filter-Id = "std.ppp"
Framed-MTU = 1500
Framed-Compression = Van-Jacobson-TCP-IP
Finished request 2
Going to the next request
--- Walking the entire request list ---
Waking up in 2 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 0 with timestamp 3e1ade7a
Waking up in 3 seconds...
--- Walking the entire request list ---
Cleaning up request 1 ID 1 with timestamp 3e1ade7d
Waking up in 1 seconds...
--- Walking the entire request list ---
Cleaning up request 2 ID 2 with timestamp 3e1ade7e
Nothing to do. Sleeping until we see a request.
Next, I try radtest, with the exact instructions "radtest job password
localhost:1812 1812 sharedsecret"
Sending Access-Request of id 202 to 127.0.0.1:1812
User-Name = "job"
User-Password = "\243t\034\275\310\316\247"D\0337\367q\240\216\275"
NAS-IP-Address = GPRS-C1-01.GBNetworks.com
NAS-Port = 1812
rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=202, length=71
Service-Type = Login-User
Framed-Protocol = PPP
Framed-IP-Address = 10.10.0.4
Framed-IP-Netmask = 255.255.255.255
Framed-Routing = Broadcast-Listen
Filter-Id = "std.ppp"
Framed-MTU = 1500
Framed-Compression = Van-Jacobson-TCP-IP
Finally, I try to do the same with a laptop with a Nokia D211 GSM/GPRS
(General Packet Radio Service) PCMCIA-card, calling a specific GPRS-number,
and providername, and the acces-request packet should come out of our
GPRS-link, on which I just hooked up my laptop with the FreeRadius server:
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /usr/local/etc/raddb/proxy.conf
Config: including file: /usr/local/etc/raddb/clients.conf
Config: including file: /usr/local/etc/raddb/snmp.conf
Config: including file: /usr/local/etc/raddb/sql.conf
main: prefix = "/usr/local"
main: localstatedir = "/usr/local/var"
main: logdir = "/usr/local/var/log/radius"
main: libdir = "/usr/local/lib"
main: radacctdir = "/usr/local/var/log/radius/radacct"
main: hostname_lookups = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = yes
main: log_file = "/usr/local/var/log/radius/radius.log"
main: log_auth = yes
main: log_auth_badpass = yes
main: log_auth_goodpass = yes
main: pidfile = "/usr/local/var/run/radiusd/radiusd.pid"
main: user = "radius"
main: group = "radius"
main: usercollide = no
main: lower_user = "no"
main: lower_pass = "no"
main: nospace_user = "no"
main: nospace_pass = "no"
main: checkrad = "/usr/local/sbin/checkrad"
main: proxy_requests = no
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: servers_per_realm = 15
security: max_attributes = 200
security: reject_delay = 1
security: status_server = yes
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /usr/local/lib
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
pap: encryption_scheme = "crypt"
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
mschap: ignore_password = no
mschap: use_mppe = yes
mschap: require_encryption = no
mschap: require_strong = no
mschap: passwd = "(null)"
mschap: authtype = "MS-CHAP"
Module: Instantiated mschap (mschap)
Module: Loaded System
unix: cache = no
unix: passwd = "(null)"
unix: shadow = "(null)"
unix: group = "(null)"
unix: radwtmp = "/usr/local/var/log/radius/radwtmp"
unix: usegroup = no
unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded preprocess
preprocess: huntgroups = "/usr/local/etc/raddb/huntgroups"
preprocess: hints = "/usr/local/etc/raddb/hints"
preprocess: with_ascend_hack = no
preprocess: ascend_channels_per_line = 23
preprocess: with_ntdomain_hack = no
preprocess: with_specialix_jetstream_hack = no
preprocess: with_cisco_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded realm
realm: format = "suffix"
realm: delimiter = "@"
Module: Instantiated realm (suffix)
Module: Loaded files
files: usersfile = "/usr/local/etc/raddb/users"
files: acctusersfile = "/usr/local/etc/raddb/acct_users"
files: preproxy_usersfile = "/usr/local/etc/raddb/preproxy_users"
files: compat = "no"
Module: Instantiated files (files)
Module: Loaded Acct-Unique-Session-Id
acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port-Id"
Module: Instantiated acct_unique (acct_unique)
Module: Loaded detail
detail: detailfile =
"/usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
detail: detailperm = 384
detail: dirperm = 493
detail: locking = no
Module: Instantiated detail (detail)
Module: Loaded radutmp
radutmp: filename = "/usr/local/var/log/radius/radutmp"
radutmp: username = "%{User-Name}"
radutmp: perm = 384
radutmp: callerid = yes
Module: Instantiated radutmp (radutmp)
main: smux_password = ""
main: snmp_write_access = no
SMUX connect try 1
Can't connect to SNMP agent with SMUX: Connection refused
Listening on IP address *, ports 1812/udp and 1813/udp.
Ready to process requests.
rad_recv: Access-Request packet from host 10.10.254.252:1812, id=243,
length=107
NAS-Identifier = "GS5.gv-C1"
User-Name = "job"
User-Password = "xxxxx"
NAS-IP-Address = 10.10.254.252
NAS-Port-Type = Virtual
Calling-Station-Id = "316xxxxxxxx"
Called-Station-Id = "xxx.nl"
Acct-Session-Id = "344a07911ea90000"
modcall: entering group authorize
modcall[authorize]: module "preprocess" returns ok
rlm_chap: Could not find proper Chap-Password attribute in request
modcall[authorize]: module "chap" returns noop
modcall[authorize]: module "mschap" returns notfound
rlm_realm: No '@' in User-Name = "job", looking up realm NULL
rlm_realm: No such realm NULL
modcall[authorize]: module "suffix" returns noop
users: Matched job at 80
modcall[authorize]: module "files" returns ok
modcall: group authorize returns ok
rad_check_password: Found Auth-Type Local
auth: type Local
auth: user supplied User-Password matches local User-Password
Login OK: [job/kunst] (from client nas1.kpn.com port 0 cli 31620017455)
Sending Access-Accept of id 243 to 10.10.254.252:1812
Service-Type = Login-User
Framed-Protocol = PPP
Framed-IP-Address = 10.10.0.4
Framed-IP-Netmask = 255.255.255.255
Framed-Routing = Broadcast-Listen
Framed-Filter-Id = "std.ppp"
Framed-MTU = 1500
Framed-Compression = Van-Jacobson-TCP-IP
Finished request 0
Going to the next request
SMUX connect try 2
Can't connect to SNMP agent with SMUX: Connection refused
--- Walking the entire request list ---
Waking up in 6 seconds...
rad_recv: Accounting-Request packet from host 10.10.254.252:1812, id=244,
length=135
NAS-Identifier = "GS5.gv-C1"
User-Name = "job"
Acct-Status-Type = Start
NAS-IP-Address = 10.10.254.252
NAS-Port-Type = Virtual
Calling-Station-Id = "316xxxxxxxx"
Called-Station-Id = "xxx.nl"
Acct-Session-Id = "344a07911ea90000"
Framed-IP-Address = 10.10.0.4
X-Ascend-IPX-Alias = 0x02040881400009f9
X-Ascend-Metric = 43294
X-Ascend-PRI-Number-Type = 0
X-Ascend-Dial-Number = "\221\007J4"
X-Ascend-Route-IP = 2433174055
modcall: entering group preacct
modcall[preacct]: module "preprocess" returns noop
rlm_realm: No '@' in User-Name = "job", looking up realm NULL
rlm_realm: No such realm NULL
modcall[preacct]: module "suffix" returns noop
modcall[preacct]: module "files" returns noop
modcall: group preacct returns noop
modcall: entering group accounting
rlm_acct_unique: WARNING: Attribute 87 was not found in request, unique ID
MAY be inconsistent
rlm_acct_unique: Hashing ',Client-IP-Address = 10.10.254.252,NAS-IP-Address
= 10.10.254.252,Acct-Session-Id = "344a07911ea90000",User-Name = "job"'
rlm_acct_unique: Acct-Unique-Session-ID = "a5045ec781c51f68".
modcall[accounting]: module "acct_unique" returns ok
radius_xlat: '/usr/local/var/log/radius/radacct/10.10.254.252/detail-20030107'
rlm_detail:
/usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d
expands to /usr/local/var/log/radius/radacct/10.10.254.252/detail-20030107
rlm_detail: Failed to create directory
/usr/local/var/log/radius/radacct/10.10.254.252: Permission denied
modcall[accounting]: module "detail" returns fail
modcall: group accounting returns fail
Finished request 1
Going to the next request
SMUX connect try 3
Can't connect to SNMP agent with SMUX: Connection refused
Cleaning up request 1 ID 244 with timestamp 3e1af415
rl_next: returning NULL
Waking up in 6 seconds...
rad_recv: Accounting-Request packet from host 10.10.254.252:1812, id=244,
length=135
NAS-Identifier = "GS5.gv-C1"
User-Name = "job"
Acct-Status-Type = Start
NAS-IP-Address = 10.10.254.252
NAS-Port-Type = Virtual
Calling-Station-Id = "316xxxxxxxx"
Called-Station-Id = "xxx.nl"
Acct-Session-Id = "344a07911ea90000"
Framed-IP-Address = 10.10.0.4
X-Ascend-IPX-Alias = 0x02040881400009f9
X-Ascend-Metric = 43294
X-Ascend-PRI-Number-Type = 0
X-Ascend-Dial-Number = "\221\007J4"
X-Ascend-Route-IP = 2433174055
Here the weird stuff starts happening, probably due to my forgetting to
chown radius to the various dirs.
modcall: entering group preacct
modcall[preacct]: module "preprocess" returns noop
rlm_realm: No '@' in User-Name = "job", looking up realm NULL
rlm_realm: No such realm NULL
modcall[preacct]: module "suffix" returns noop
modcall[preacct]: module "files" returns noop
modcall: group preacct returns noop
modcall: entering group accounting
rlm_acct_unique: WARNING: Attribute 87 was not found in request, unique ID
MAY be inconsistent
rlm_acct_unique: Hashing ',Client-IP-Address = 10.10.254.252,NAS-IP-Address
= 10.10.254.252,Acct-Session-Id = "344a07911ea90000",User-Name = "job"'
rlm_acct_unique: Acct-Unique-Session-ID = "a5045ec781c51f68".
modcall[accounting]: module "acct_unique" returns ok
radius_xlat: '/usr/local/var/log/radius/radacct/10.10.254.252/detail-20030107'
rlm_detail:
/usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d
expands to /usr/local/var/log/radius/radacct/10.10.254.252/detail-20030107
rlm_detail: Failed to create directory
/usr/local/var/log/radius/radacct/10.10.254.252: Permission denied
modcall[accounting]: module "detail" returns fail
modcall: group accounting returns fail
Finished request 2
Going to the next request
--- Walking the entire request list ---
Cleaning up request 2 ID 244 with timestamp 3e1af417
Waking up in 4 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 243 with timestamp 3e1af415
Nothing to do. Sleeping until we see a request.
rad_recv: Accounting-Request packet from host 10.10.254.252:1812, id=244,
length=135
NAS-Identifier = "GS5.gv-C1"
User-Name = "job"
Acct-Status-Type = Start
NAS-IP-Address = 10.10.254.252
NAS-Port-Type = Virtual
Calling-Station-Id = "31620017455"
Called-Station-Id = "xxx.nl"
Acct-Session-Id = "344a07911ea90000"
Framed-IP-Address = 10.10.0.4
X-Ascend-IPX-Alias = 0x02040881400009f9
X-Ascend-Metric = 43294
X-Ascend-PRI-Number-Type = 0
X-Ascend-Dial-Number = "\221\007J4"
X-Ascend-Route-IP = 2433174055
modcall: entering group preacct
modcall[preacct]: module "preprocess" returns noop
rlm_realm: No '@' in User-Name = "job", looking up realm NULL
rlm_realm: No such realm NULL
modcall[preacct]: module "suffix" returns noop
modcall[preacct]: module "files" returns noop
modcall: group preacct returns noop
modcall: entering group accounting
rlm_acct_unique: WARNING: Attribute 87 was not found in request, unique ID
MAY be inconsistent
rlm_acct_unique: Hashing ',Client-IP-Address = 10.10.254.252,NAS-IP-Address
= 10.10.254.252,Acct-Session-Id = "344a07911ea90000",User-Name = "job"'
rlm_acct_unique: Acct-Unique-Session-ID = "a5045ec781c51f68".
modcall[accounting]: module "acct_unique" returns ok
radius_xlat: '/usr/local/var/log/radius/radacct/10.10.254.252/detail-20030107'
rlm_detail:
/usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d
expands to /usr/local/var/log/radius/radacct/10.10.254.252/detail-20030107
rlm_detail: Failed to create directory
/usr/local/var/log/radius/radacct/10.10.254.252: Permission denied
modcall[accounting]: module "detail" returns fail
modcall: group accounting returns fail
Finished request 3
Going to the next request
--- Walking the entire request list ---
Cleaning up request 3 ID 244 with timestamp 3e1af41b
Nothing to do. Sleeping until we see a request.
The windows client gives an error-message: Error 734: The PPP link control
protocol was terminated. The latest trailing messages logged by my
FreeRadius daemon are different from the first, which leads me to think I
have a combined problem: It seems I forgot to chown radius to the
appropriate directories - am checking that out currently.
*** Contents of my users file, which has simple entries for testing as yet:
I'm still confused which attributes should work the same way as the
Steel-Belted ''Standard Radius", which works fine and fast, without much
configuring: That's why some of the default entries for the user "job" are
commented out.
#
# Please read the documentation file ../doc/processing_users_file,
# or 'man 5 users' (after installing the server) for more information.
#
# This file contains authentication security and configuration
# information for each user. Accounting requests are NOT processed
# through this file. Instead, see 'acct_users', in this directory.
#
# The first field is the user's name and can be up to
# 253 characters in length. This is followed (on the same line) with
# the list of authentication requirements for that user. This can
# include password, comm server name, comm server port number, protocol
# type (perhaps set by the "hints" file), and huntgroup name (set by
# the "huntgroups" file).
#
# If you are not sure why a particular reply is being sent by the
# server, then run the server in debugging mode (radiusd -X), and
# you will see which entries in this file are matched.
#
# When an authentication request is received from the comm server,
# these values are tested. Only the first match is used unless the
# "Fall-Through" variable is set to "Yes".
#
# A special user named "DEFAULT" matches on all usernames.
# You can have several DEFAULT entries. All entries are processed
# in the order they appear in this file. The first entry that
# matches the login-request will stop processing unless you use
# the Fall-Through variable.
#
# If you use the database support to turn this file into a .db or .dbm
# file, the DEFAULT entries _have_ to be at the end of this file and
# you can't have multiple entries for one username.
#
# You don't need to specify a password if you set Auth-Type += System
# on the list of authentication requirements. The RADIUS server
# will then check the system password file.
#
# Indented (with the tab character) lines following the first
# line indicate the configuration values to be passed back to
# the comm server to allow the initiation of a user session.
# This can include things like the PPP configuration values
# or the host to log the user onto.
#
# You can include another `users' file with `$INCLUDE users.other'
#
#
# For a list of RADIUS attributes, and links to their definitions,
# see:
#
# http://www.freeradius.org/rfc/attributes.html
#
#
# Deny access for a specific user. Note that this entry MUST
# be before any other 'Auth-Type' attribute which results in the user
# being authenticated.
#
# Note that there is NO 'Fall-Through' attribute, so the user will not
# be given any additional resources.
#
#lameuser Auth-Type := Reject
# Reply-Message = "Your account has been disabled."
#
# Deny access for a group of users.
#
# Note that there is NO 'Fall-Through' attribute, so the user will not
# be given any additional resources.
#
#DEFAULT Group == "disabled", Auth-Type := Reject
# Reply-Message = "Your account has been disabled."
#
#
# This is a complete entry for "job kunst". Note that there is no Fall-Through
# entry so that no DEFAULT entry will be used, and the user will NOT
# get any attributes in addition to the ones listed here.
#
job Auth-Type := Local, User-Password == "kunst"
# Service-Type = Framed-User,
Service-Type = Login-User,
Framed-Protocol = PPP,
Framed-IP-Address = 10.10.0.4,
Framed-IP-Netmask = 255.255.255.255,
Framed-Routing = Broadcast-Listen,
# Framed-Filter-Id = "std.ppp",
Framed-MTU = 1500,
Framed-Compression = Van-Jacobsen-TCP-IP
#
# This is an entry for a user with a space in their name.
# Note the double quotes surrounding the name.
#
#"John Doe" Auth-Type := Local, User-Password == "hello"
# Reply-Message = "Hello, %u"
#
# Dial user back and telnet to the default host for that port
#
#Deg Auth-Type := Local, User-Password == "ge55ged"
# Service-Type = Callback-Login-User,
# Login-IP-Host = 0.0.0.0,
# Callback-Number = "9,5551212",
# Login-Service = Telnet,
# Login-TCP-Port = Telnet
#
# Another complete entry. After the user "dialbk" has logged in, the
# connection will be broken and the user will be dialed back after which
# he will get a connection to the host "timeshare1".
#
#dialbk Auth-Type := Local, User-Password == "callme"
# Service-Type = Callback-Login-User,
# Login-IP-Host = timeshare1,
# Login-Service = PortMaster,
# Callback-Number = "9,1-800-555-1212"
#
# user "swilson" will only get a static IP number if he logs in with
# a framed protocol on a terminal server in Alphen (see the huntgroups file).
#
# Note that by setting "Fall-Through", other attributes will be added from
# the following DEFAULT entries
#
#swilson Service-Type == Framed-User, Huntgroup-Name == "alphen"
# Framed-IP-Address = 192.168.1.65,
# Fall-Through = Yes
#
# If the user logs in as 'username.shell', then authenticate them
# against the system database, give them shell access, and stop processing
# the rest of the file.
#
#DEFAULT Suffix == ".shell", Auth-Type := System
# Service-Type = Login-User,
# Login-Service = Telnet,
# Login-IP-Host = your.shell.machine
#
# The rest of this file contains the several DEFAULT entries.
# DEFAULT entries match with all login names.
# Note that DEFAULT entries can also Fall-Through (see first entry).
# A name-value pair from a DEFAULT entry will _NEVER_ override
# an already existing name-value pair.
#
#
# First setup all accounts to be checked against the UNIX /etc/passwd.
# (Unless a password was already given earlier in this file).
#
DEFAULT Auth-Type := System
Fall-Through = 1
#
# Set up different IP address pools for the terminal servers.
# Note that the "+" behind the IP address means that this is the "base"
# IP address. The Port-Id (S0, S1 etc) will be added to it.
#
#DEFAULT Service-Type == Framed-User, Huntgroup-Name == "alphen"
# Framed-IP-Address = 192.168.1.32+,
# Fall-Through = Yes
#DEFAULT Service-Type == Framed-User, Huntgroup-Name == "delft"
# Framed-IP-Address = 192.168.2.32+,
# Fall-Through = Yes
#
# Defaults for all framed connections.
#
DEFAULT Service-Type == Framed-User
# Framed-IP-Address = 255.255.255.254,
# Framed-MTU = 576,
Service-Type = Framed-User,
# Fall-Through = Yes
#
# Default for PPP: dynamic IP address, PPP mode, VJ-compression.
# NOTE: we do not use Hint = "PPP", since PPP might also be auto-detected
# by the terminal server in which case there may not be a "P" suffix.
# The terminal server sends "Framed-Protocol = PPP" for auto PPP.
#
DEFAULT Framed-Protocol == PPP
Framed-Protocol = PPP,
Framed-Compression = Van-Jacobson-TCP-IP
#
# Default for CSLIP: dynamic IP address, SLIP mode, VJ-compression.
#
DEFAULT Hint == "CSLIP"
Framed-Protocol = SLIP,
Framed-Compression = Van-Jacobson-TCP-IP
#
# Default for SLIP: dynamic IP address, SLIP mode.
#
DEFAULT Hint == "SLIP"
Framed-Protocol = SLIP
#
# Last default: rlogin to our main server.
#
#DEFAULT
# Service-Type = Login-User,
# Login-Service = Rlogin,
# Login-IP-Host = shellbox.ispdomain.com
# #
# # Last default: shell on the local terminal server.
# #
# DEFAULT
# Service-Type = Shell-User
# On no match, the user is denied access.
Latest remark: It seems the acces-accept packet from the Radius daemon back
to the NAS (10.10.254.252) is not reaching its destination - the end-client
with which I made the request. Interestingly, it seems that the FreeRadius
server is sending the acces-accept packet when queried from NTRadPing to a
higher port, for instance 1076 or higher, while sending it in case of our
real NAS back to the 1812 port, could this be the cause somehow? NTRadPing
reports the accept-packet in full, including all inserted attributes. I'm
not sure, but think I've seen this happen with RadTest too.
Dump from a working setup with the Steel-Belted Radius server, ipconfig
from the client dialled in:
Windows IP Configuration
Host Name . . . . . . . . . . . . : Mordor
Primary Dns Suffix . . . . . . . : gbnetworks.com
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : gbnetworks.com
Ethernet adapter Wireless Network Connection:
Media State . . . . . . . . . . . : Media disconnected
Description . . . . . . . . . . . : Toshiba Wireless LAN Mini PCI Card
Physical Address. . . . . . . . . : 00-02-2D-43-4E-4D
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . : Mordor.GBNetworks.com
Description . . . . . . . . . . . : Intel 8255x-based Fast Ethernet
Physical Address. . . . . . . . . : 00-00-39-48-15-B4
Dhcp Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.1.5
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.254
DNS Servers . . . . . . . . . . . : 10.100.0.1
212.120.66.194
Ethernet adapter Local Area Connection 2:
Media State . . . . . . . . . . . : Media disconnected
Description . . . . . . . . . . . : Nokia D211 radio card driver
Physical Address. . . . . . . . . : 00-E0-03-07-F9-DC
PPP adapter GPRS:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface
Physical Address. . . . . . . . . : 00-53-45-00-00-00
Dhcp Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 10.10.0.5
Subnet Mask . . . . . . . . . . . : 255.255.255.255
Default Gateway . . . . . . . . . : 10.10.0.5
DNS Servers . . . . . . . . . . . : 10.100.0.1
NetBIOS over Tcpip. . . . . . . . : Disabled
Tracert to above DNS server listed as present:
Tracing route to 10.100.0.1 over a maximum of 30 hops
1 525 ms 2843 ms 1028 ms 10.111.0.146
2 3952 ms 4010 ms 3902 ms 10.100.0.252
3 * * * Request timed out.
4 * * * Request timed out.
5 * * * Request timed out.
6 * * * Request timed out.
7 * * * Request timed out.
8 General failure.
Trace complete.
Any help appreciated,
Thanks - Marnix
______________________________________________________________________
The information contained in this electronic mail message is privileged
and confidential, and is intended only for use of the addressee. If you
are not the intended recipient, you are hereby notified that any disclosure, reproduction, distribution or other use of this
communication is strictly prohibited. If you have received this communication in error, please notify the sender by reply transmission and delete the message without copying or disclosing it.
This email has been scanned for all viruses by the MessageLabs SkyScan
service. Any possible virus has been removed from this email message.
______________________________________________________________________
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- Re: FreeRadius vs SteelBelted, Tuning of Ports and Packets... Marnix Petrarca
- Re: FreeRadius vs SteelBelted, Tuning of Ports and Pa... Alan DeKok
- Re: FreeRadius vs SteelBelted, Tuning of Ports an... Marnix Petrarca
