Dear Roman Bessyadovskii, Any of SMB-Account-CTRL, User-Password and Auth-Type attributes should present with :=, not == operation.
--Friday, January 24, 2003, 4:47:46 PM, you wrote to [EMAIL PROTECTED]: RB> Ok, solution 1 is good enought, and i can solve problem with it. RB> But solution 2 (with SMB-Account-CTRL) not work for me. RB> I set SMB-Account-CTRL := 16 (17) In radcheck and in radreply, but ther is RB> no effect on authorisation process. RB> At this moment i don't clearly understand process of Authorization, RB> Authentication. RB> I have read doc/aaa.txt (How Authorization, Authentication, and Accounting RB> requests are handled) file but some corners is dark at this time. RB> for example RB> radius recive access request with some Attribute - Value pairs. RB> Server begins Authorisation process - collect data about user, by calling RB> modules from authorize section. RB> So, question, why important order of check modules ? As i write in early RB> letter, i switching sql and mschap module and user recive Access Deniend. RB> or another question RB> When i specify some attributes in sql DB in radreply - would that attributes RB> be included in Reply Message to the client? If so, how SMB-Account-CTRL RB> would be considered if radius return Access-Accept? >> -----Original Message----- >> From: 3APA3A [mailto:[EMAIL PROTECTED]] >> Sent: 24 ������ 2003 �. 12:28 >> To: [EMAIL PROTECTED]; Roman Bessyadovskii >> Cc: [EMAIL PROTECTED] >> Subject: Re: sql and MSCHAP and disabling user. >> >> >> Dear Roman Bessyadovskii, >> >> Including mschap into authorize{} section with "authtype" >> configured in >> mschap module configuration informs mschap module >> it should >> automatically detect MS-CHAP handshake and set auth to >> MS-CHAP if one is >> found. >> >> I see 2 possible solutions: >> 1. Remove authtype in mschap configuration. If you need >> both PAP and >> MS-CHAP to work you can create authenticate{} group from pap >> and mschap. >> 2. Add SMB-Account-CTRL parameter. >> >> SMB-Account-CTRL should be 16 for normal account, 17 for >> disabled account >> and 1025 for auto locked account. In general case it's >> combination >> of OR'ed flags: >> >> #define ACB_DISABLED 0x0001 /* 1 = User account disabled */ >> #define ACB_HOMDIRREQ 0x0002 /* 1 = Home directory required */ >> #define ACB_PWNOTREQ 0x0004 /* 1 = User password not required */ >> #define ACB_TEMPDUP 0x0008 /* 1 = Temporary duplicate account */ >> #define ACB_NORMAL 0x0010 /* 1 = Normal user account */ >> #define ACB_MNS 0x0020 /* 1 = MNS logon user account */ >> #define ACB_DOMTRUST 0x0040 /* 1 = Interdomain trust account */ >> #define ACB_WSTRUST 0x0080 /* 1 = Workstation trust account */ >> #define ACB_SVRTRUST 0x0100 /* 1 = Server trust account */ >> #define ACB_PWNOEXP 0x0200 /* 1 = User password does not expire */ >> #define ACB_AUTOLOCK 0x0400 /* 1 = Account auto locked */ >> >> (ACB_NORMAL should always present, otherwise account is ignored) >> >> Having SMB-Account-CTRL gives you additional advantage, >> because you >> Windows users will get valid message ("account disabled" >> or "account >> locked out") instead of "invalid password". >> >> --Friday, January 24, 2003, 10:45:15 AM, you wrote to >> [EMAIL PROTECTED]: >> >> RB> Hi All. >> >> RB> I need to setup vpn server with radius login and store >> passwords in sql. >> RB> I have install all correctly (poptop, ppp, freeradius, mysql), and >> RB> configure, users can connect, and go throw the vpn. >> >> RB> And, i what to temporary disable user, but i can't. >> >> RB> That's what i do. >> >> RB> mysql> select * from radcheck; >> RB> +----+----------+---------------+----+--------+ >> RB> | id | UserName | Attribute | op | Value | >> RB> +----+----------+---------------+----+--------+ >> RB> | 1 | test | User-Password | == | test | >> RB> | 2 | test | Auth-Type | == | Reject | >> RB> +----+----------+---------------+----+--------+ >> >> >>From radiusd.conf : >> RB> authorize { >> RB> preprocess >> RB> chap >> RB> suffix >> RB> sql >> RB> # >> RB> # If the users are logging in with an MS-CHAP-Challenge >> RB> # attribute for authentication, the mschap >> module will find >> RB> # the MS-CHAP-Challenge attribute, and add >> 'Auth-Type := MS-CHAP' >> RB> # to the request, which will cause the server to >> then use >> RB> # the mschap module for authentication. >> RB> mschap >> >> RB> } >> >> RB> As describd in comment, MS-CHAP add (or rewrite) >> Auth-Type for MS-CHAP and >> RB> user can login independent of Reject in sql table. >> >> RB> If in authorize section i switch sql and mschap module >> and set next order >> RB> authorize { >> RB> ... >> RB> mschap >> RB> sql >> RB> } >> >> RB> In that configuration i recive reject if disble user in >> sql table, but also >> RB> recive reject with normal (not disabled users) with >> following log (radiusd >> RB> -X). >> >> RB> rlm_sql (sql): Released sql socket id: 4 >> RB> modcall[authorize]: module "sql" returns ok >> RB> modcall: group authorize returns ok >> RB> rad_check_password: Found Auth-Type MS-CHAP >> RB> auth: type "MS-CHAP" >> RB> modcall: entering group authtype >> RB> rlm_mschap: No LM/NT password configured. Check authorization. >> RB> modcall[authenticate]: module "mschap" returns invalid >> RB> modcall: group authtype returns invalid >> RB> auth: Failed to validate the user. >> RB> Login incorrect: [test/<no User-Password attribute>] >> (from client localhost >> RB> port 0) >> RB> Delaying request 0 for 1 seconds >> >> RB> How i need to configure radius for propertly work? >> RB> Or how i can disable user in that configuration? >> >> RB> Thaks. >> >> RB> Rick. >> >> RB> - >> RB> List info/subscribe/unsubscribe? See >> http://www.freeradius.org/list/users.html >> >> >> -- >> ~/ZARAZA >> �� � ������, ������, ���������� ������������ ��� ������ >> �������. (����) >> RB> - RB> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- ~/ZARAZA ����, � ���� ������. (����) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
