Sure :=. That's what i set. And solution 1, as time show not enought good for me. I whant to aothorize vpn users (MS-CHAP) and Squid users with same passwords. (User can access internet via vpn or via squid), and when i comment authtype = MS-CHAP in radiusd.conf and insert Auth-Type = MS-CHAP in radacct then squid users can-t login, because SQUID not use MS-CHAP...
> -----Original Message----- > From: 3APA3A [mailto:[EMAIL PROTECTED]] > Sent: 24 ������ 2003 �. 17:15 > To: [EMAIL PROTECTED]; Roman Bessyadovskii > Cc: [EMAIL PROTECTED] > Subject: Re[3]: sql and MSCHAP and disabling user. > > > Dear Roman Bessyadovskii, > > Any of SMB-Account-CTRL, User-Password and Auth-Type > attributes should > present with :=, not == operation. > > --Friday, January 24, 2003, 4:47:46 PM, you wrote to > [EMAIL PROTECTED]: > > RB> Ok, solution 1 is good enought, and i can solve problem with it. > RB> But solution 2 (with SMB-Account-CTRL) not work for me. > > RB> I set SMB-Account-CTRL := 16 (17) In radcheck and in > radreply, but ther is > RB> no effect on authorisation process. > > > > RB> At this moment i don't clearly understand process of > Authorization, > RB> Authentication. > RB> I have read doc/aaa.txt (How Authorization, > Authentication, and Accounting > RB> requests are handled) file but some corners is dark at this time. > > RB> for example > RB> radius recive access request with some Attribute - Value pairs. > RB> Server begins Authorisation process - collect data about > user, by calling > RB> modules from authorize section. > RB> So, question, why important order of check modules ? As i > write in early > RB> letter, i switching sql and mschap module and user recive > Access Deniend. > > RB> or another question > RB> When i specify some attributes in sql DB in radreply - > would that attributes > RB> be included in Reply Message to the client? If so, how > SMB-Account-CTRL > RB> would be considered if radius return Access-Accept? > > > >> -----Original Message----- > >> From: 3APA3A [mailto:[EMAIL PROTECTED]] > >> Sent: 24 ������ 2003 �. 12:28 > >> To: [EMAIL PROTECTED]; Roman Bessyadovskii > >> Cc: [EMAIL PROTECTED] > >> Subject: Re: sql and MSCHAP and disabling user. > >> > >> > >> Dear Roman Bessyadovskii, > >> > >> Including mschap into authorize{} section with "authtype" > >> configured in > >> mschap module configuration informs mschap module > >> it should > >> automatically detect MS-CHAP handshake and set auth to > >> MS-CHAP if one is > >> found. > >> > >> I see 2 possible solutions: > >> 1. Remove authtype in mschap configuration. If you need > >> both PAP and > >> MS-CHAP to work you can create authenticate{} group from pap > >> and mschap. > >> 2. Add SMB-Account-CTRL parameter. > >> > >> SMB-Account-CTRL should be 16 for normal account, 17 for > >> disabled account > >> and 1025 for auto locked account. In general case it's > >> combination > >> of OR'ed flags: > >> > >> #define ACB_DISABLED 0x0001 /* 1 = User account disabled */ > >> #define ACB_HOMDIRREQ 0x0002 /* 1 = Home directory required */ > >> #define ACB_PWNOTREQ 0x0004 /* 1 = User password not required */ > >> #define ACB_TEMPDUP 0x0008 /* 1 = Temporary duplicate > account */ > >> #define ACB_NORMAL 0x0010 /* 1 = Normal user account */ > >> #define ACB_MNS 0x0020 /* 1 = MNS logon user account */ > >> #define ACB_DOMTRUST 0x0040 /* 1 = Interdomain trust account */ > >> #define ACB_WSTRUST 0x0080 /* 1 = Workstation trust account */ > >> #define ACB_SVRTRUST 0x0100 /* 1 = Server trust account */ > >> #define ACB_PWNOEXP 0x0200 /* 1 = User password does > not expire */ > >> #define ACB_AUTOLOCK 0x0400 /* 1 = Account auto locked */ > >> > >> (ACB_NORMAL should always present, otherwise account is ignored) > >> > >> Having SMB-Account-CTRL gives you additional advantage, > >> because you > >> Windows users will get valid message ("account disabled" > >> or "account > >> locked out") instead of "invalid password". > >> > >> --Friday, January 24, 2003, 10:45:15 AM, you wrote to > >> [EMAIL PROTECTED]: > >> > >> RB> Hi All. > >> > >> RB> I need to setup vpn server with radius login and store > >> passwords in sql. > >> RB> I have install all correctly (poptop, ppp, freeradius, > mysql), and > >> RB> configure, users can connect, and go throw the vpn. > >> > >> RB> And, i what to temporary disable user, but i can't. > >> > >> RB> That's what i do. > >> > >> RB> mysql> select * from radcheck; > >> RB> +----+----------+---------------+----+--------+ > >> RB> | id | UserName | Attribute | op | Value | > >> RB> +----+----------+---------------+----+--------+ > >> RB> | 1 | test | User-Password | == | test | > >> RB> | 2 | test | Auth-Type | == | Reject | > >> RB> +----+----------+---------------+----+--------+ > >> > >> >>From radiusd.conf : > >> RB> authorize { > >> RB> preprocess > >> RB> chap > >> RB> suffix > >> RB> sql > >> RB> # > >> RB> # If the users are logging in with an > MS-CHAP-Challenge > >> RB> # attribute for authentication, the mschap > >> module will find > >> RB> # the MS-CHAP-Challenge attribute, and add > >> 'Auth-Type := MS-CHAP' > >> RB> # to the request, which will cause the server to > >> then use > >> RB> # the mschap module for authentication. > >> RB> mschap > >> > >> RB> } > >> > >> RB> As describd in comment, MS-CHAP add (or rewrite) > >> Auth-Type for MS-CHAP and > >> RB> user can login independent of Reject in sql table. > >> > >> RB> If in authorize section i switch sql and mschap module > >> and set next order > >> RB> authorize { > >> RB> ... > >> RB> mschap > >> RB> sql > >> RB> } > >> > >> RB> In that configuration i recive reject if disble user in > >> sql table, but also > >> RB> recive reject with normal (not disabled users) with > >> following log (radiusd > >> RB> -X). > >> > >> RB> rlm_sql (sql): Released sql socket id: 4 > >> RB> modcall[authorize]: module "sql" returns ok > >> RB> modcall: group authorize returns ok > >> RB> rad_check_password: Found Auth-Type MS-CHAP > >> RB> auth: type "MS-CHAP" > >> RB> modcall: entering group authtype > >> RB> rlm_mschap: No LM/NT password configured. Check authorization. > >> RB> modcall[authenticate]: module "mschap" returns invalid > >> RB> modcall: group authtype returns invalid > >> RB> auth: Failed to validate the user. > >> RB> Login incorrect: [test/<no User-Password attribute>] > >> (from client localhost > >> RB> port 0) > >> RB> Delaying request 0 for 1 seconds > >> > >> RB> How i need to configure radius for propertly work? > >> RB> Or how i can disable user in that configuration? > >> > >> RB> Thaks. > >> > >> RB> Rick. > >> > >> RB> - > >> RB> List info/subscribe/unsubscribe? See > >> http://www.freeradius.org/list/users.html > >> > >> > >> -- > >> ~/ZARAZA > >> �� � ������, ������, ���������� ������������ ��� ������ > >> �������. (����) > >> > > RB> - > RB> List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > > -- > ~/ZARAZA > ����, � ���� ������. (����) > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
