Ok, It's works and if SMB-Account-CTRL := 17 then return
rad_recv: Access-Request packet from host 127.0.0.1:32772, id=89, length=132
Service-Type = Framed-User
Framed-Protocol = PPP
User-Name = "test"
MS-CHAP-Challenge = 0x2e15b498ec23a1f12c56efee2681c534
MS-CHAP2-Response =
0x0100e2316453801f9e6e08bfc56d94129d810000000000000000
0e081fb1122a8aab881b99d151ab30db18daf9a910bbedbe
NAS-IP-Address = 10.128.7.13
NAS-Port = 0
modcall: entering group authorize
modcall[authorize]: module "preprocess" returns ok
rlm_chap: Could not find proper Chap-Password attribute in request
modcall[authorize]: module "chap" returns noop
rlm_realm: No '@' in User-Name = "test", looking up realm NULL
rlm_realm: No such realm NULL
modcall[authorize]: module "suffix" returns noop
radius_xlat: 'test'
rlm_sql (sql): sql_set_user escaped user --> 'test'
radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE
Username
= 'test' ORDER BY id'
rlm_sql (sql): Reserving sql socket id: 2
radius_xlat: 'SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attri
bute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup
WHERE user
group.Username = 'test' AND usergroup.GroupName = radgroupcheck.GroupName
ORDER BY
radgroupcheck.id'
radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE
Username
= 'test' ORDER BY id'
radius_xlat: 'SELECT
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attri
bute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup
WHERE user
group.Username = 'test' AND usergroup.GroupName = radgroupreply.GroupName
ORDER BY
radgroupreply.id'
rlm_sql: check items
User-Password == "test"
SMB-Account-CTRL := 17
rlm_sql: reply items
rlm_sql (sql): Released sql socket id: 2
modcall[authorize]: module "sql" returns ok
modcall[authorize]: module "mschap" returns notfound
modcall: group authorize returns ok
auth: type Local
auth: No User-Password or CHAP-Password attribute in the request
auth: Failed to validate the user.
Login incorrect: [test/<no User-Password attribute>] (from client localhost
port 0
)
Delaying request 7 for 1 seconds
Finished request 7
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Sending Access-Reject of id 89 to 127.0.0.1:32772
MS-CHAP-Error = "\001E=691 R=1"
Waking up in 4 seconds...
In other ways (:= 16, or SMB-Account-CTRL attribute not present) user can
login.
Thanks.
> -----Original Message-----
> From: 3APA3A [mailto:[EMAIL PROTECTED]]
> Sent: 4 ������� 2003 �. 13:48
> To: Roman Bessyadovskii
> Subject: Re[7]: sql and MSCHAP and disabling user.
>
>
> Dear Roman Bessyadovskii,
>
> RB> I think, that with User-Password I need use '=='
> operation, it's condition,
> RB> not defention...
>
> It's definition. In case of MS-CHAP request will
> never contain
> User-Password attribute and comparison should fail. But as
> far as I know
> there is a _special case_ for User-Password attribute,
> that's why it
> works.
>
> Ok, I have found problem in rlm_mschap, probably
> SMB-Account-CTRL was
> only handled if configured in smbpasswd file.
>
> Please try patch attached and report back if it works (I
> can't test it
> by myself in my current configuration).
>
> --Tuesday, February 4, 2003, 12:04:23 PM, you wrote to
> [EMAIL PROTECTED]:
>
> RB> Hello.
>
> RB> Sorry for some pause in conversation.
>
> >> >> Any of SMB-Account-CTRL, User-Password and Auth-Type
> >> >> attributes should
> >> >> present with :=, not == operation.
> RB> I think, that with User-Password I need use '=='
> operation, it's condition,
> RB> not defention...
>
> RB> Here Logs without SMB-Account-CTRL And with
> RB>
> ______________________________________________________________
> ______________
> RB> ____________
> RB> mysql> select * from radcheck;
> RB> +----+----------+---------------+----+--------+
> RB> | id | UserName | Attribute | op | Value |
> RB> +----+----------+---------------+----+--------+
> RB> | 1 | test | User-Password | == | test |
> RB> +----+----------+---------------+----+--------+
> RB>
> ______________________________________________________________
> ______________
> RB> ____________
> RB> Ready to process requests.
> RB> rad_recv: Access-Request packet from host
> 127.0.0.1:32772, id=76, length=132
> RB> Service-Type = Framed-User
> RB> Framed-Protocol = PPP
> RB> User-Name = "test"
> RB> MS-CHAP-Challenge = 0x0808921378f29eef1012eb923c9e6422
> RB> MS-CHAP2-Response =
> RB>
> 0x010050346d85f08005552ecd3307a479219c00000000000000002d0f0dc4
> 294e112a4ff469
> RB> 94ae39c290248ee6773a4585bc
> RB> NAS-IP-Address = 10.128.7.13
> RB> NAS-Port = 0
> RB> modcall: entering group authorize
> RB> modcall[authorize]: module "preprocess" returns ok
> RB> rlm_chap: Could not find proper Chap-Password attribute in request
> RB> modcall[authorize]: module "chap" returns noop
> RB> rlm_realm: No '@' in User-Name = "test", looking up realm NULL
> RB> rlm_realm: No such realm NULL
> RB> modcall[authorize]: module "suffix" returns noop
> RB> radius_xlat: 'test'
> RB> rlm_sql (sql): sql_set_user escaped user --> 'test'
> RB> radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM
> radcheck WHERE
> RB> Username= 'test' ORDER BY id'
> RB> rlm_sql (sql): Reserving sql socket id: 4
> RB> radius_xlat: 'SELECT
> RB>
> radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribu
> te,radgroupche
> RB> ck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE user
> RB> group.Username = 'test' AND usergroup.GroupName =
> radgroupcheck.GroupName
> RB> ORDER BY radgroupcheck.id'
> RB> radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM
> radreply WHERE
> RB> Username = 'test' ORDER BY id'
> RB> radius_xlat: 'SELECT
> RB>
> radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribu
> te,radgrouprep
> RB> ly.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE user
> RB> group.Username = 'test' AND usergroup.GroupName =
> radgroupreply.GroupName
> RB> ORDER BY radgroupreply.id'
> RB> rlm_sql: check items
> RB> User-Password == "test"
> RB> rlm_sql: reply items
> RB> rlm_sql (sql): Released sql socket id: 4
> RB> modcall[authorize]: module "sql" returns ok
> RB> modcall[authorize]: module "mschap" returns ok
> RB> modcall: group authorize returns ok
> RB> rad_check_password: Found Auth-Type MS-CHAP
> RB> auth: type "MS-CHAP"
> RB> modcall: entering group authtype
> RB> rlm_mschap: doing MS-CHAPv2 with NT-Password
> RB> rlm_mschap: adding MS-CHAPv2 MPPE keys
> RB> modcall[authenticate]: module "mschap" returns ok
> RB> modcall: group authtype returns ok
> RB> Login OK: [test] (from client localhost port 0)
> RB> Sending Access-Accept of id 76 to 127.0.0.1:32772
> RB> MS-CHAP2-Success =
> RB>
> 0x01533d434337313430433135373646434446424443433842344338413039
> 43303945333535
> RB> 454431314144
> RB> MS-MPPE-Recv-Key =
> RB>
> 0xa5e7ae2e265d7ed72c0a173efbf84737280912f8fea8b7ee03a1cdaf7816c331bbae
> RB> MS-MPPE-Send-Key =
> RB>
> 0xa5e43c17be9de81ae5f0a61367766998535d84e2c0dd5fdb08bce4fc65a874226a04
> RB> MS-MPPE-Encryption-Policy = 0x00000001
> RB> MS-MPPE-Encryption-Types = 0x00000004
> RB> Finished request 0
> RB> Going to the next request
> RB> --- Walking the entire request list ---
> RB>
> ______________________________________________________________
> ______________
> RB> ____________
> RB> mysql> select * from radcheck;
> RB> +----+----------+------------------+----+--------+
> RB> | id | UserName | Attribute | op | Value |
> RB> +----+----------+------------------+----+--------+
> RB> | 1 | test | User-Password | == | test |
> RB> | 14 | test | SMB-Account-CTRL | := | 17 |
> RB> +----+----------+------------------+----+--------+
>
> RB> rad_recv: Access-Request packet from host
> 127.0.0.1:32772, id=79, length=132
> RB> Service-Type = Framed-User
> RB> Framed-Protocol = PPP
> RB> User-Name = "test"
> RB> MS-CHAP-Challenge = 0xc336487cabf841825e682cf0c1f5c59f
> RB> MS-CHAP2-Response =
> RB>
> 0x0100ff6a087763543f28034af97e882ed03b0000000000000000bc5b53de
> 858d18b44c1354
> RB> 20bdb69da69520395b8542598d
> RB> NAS-IP-Address = 10.128.7.13
> RB> NAS-Port = 0
> RB> modcall: entering group authorize
> RB> modcall[authorize]: module "preprocess" returns ok
> RB> rlm_chap: Could not find proper Chap-Password attribute in request
> RB> modcall[authorize]: module "chap" returns noop
> RB> rlm_realm: No '@' in User-Name = "test", looking up realm NULL
> RB> rlm_realm: No such realm NULL
> RB> modcall[authorize]: module "suffix" returns noop
> RB> radius_xlat: 'test'
> RB> rlm_sql (sql): sql_set_user escaped user --> 'test'
> RB> radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM
> radcheck WHERE
> RB> Username = 'test' ORDER BY id'
> RB> rlm_sql (sql): Reserving sql socket id: 1
> RB> radius_xlat: 'SELECT
> RB>
> radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribu
> te,radgroupche
> RB> ck.Value,radgroupcheck.op FROM radgroupcheck,usergroup
> WHERE user
> RB> group.Username = 'test' AND usergroup.GroupName =
> radgroupcheck.GroupName
> RB> ORDER BY radgroupcheck.id'
> RB> radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM
> radreply WHERE
> RB> Username = 'test' ORDER BY id'
> RB> radius_xlat: 'SELECT
> RB>
> radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribu
> te,radgrouprep
> RB> ly.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE user
> RB> group.Username = 'test' AND usergroup.GroupName =
> radgroupreply.GroupName
> RB> ORDER BY radgroupreply.id'
> RB> rlm_sql: check items
> RB> User-Password == "test"
> RB> SMB-Account-CTRL := 17
> RB> rlm_sql: reply items
> RB> rlm_sql (sql): Released sql socket id: 1
> RB> modcall[authorize]: module "sql" returns ok
> RB> modcall[authorize]: module "mschap" returns ok
> RB> modcall: group authorize returns ok
> RB> rad_check_password: Found Auth-Type MS-CHAP
> RB> auth: type "MS-CHAP"
> RB> modcall: entering group authtype
> RB> rlm_mschap: doing MS-CHAPv2 with NT-Password
> RB> rlm_mschap: adding MS-CHAPv2 MPPE keys
> RB> modcall[authenticate]: module "mschap" returns ok
> RB> modcall: group authtype returns ok
> RB> Login OK: [test] (from client localhost port 0)
> RB> Sending Access-Accept of id 79 to 127.0.0.1:32772
> RB> MS-CHAP2-Success =
> RB>
> 0x01533d424532323444383342463639414233423141354545444643374331
> 39344244343133
> RB> 333831423237
> RB> MS-MPPE-Recv-Key =
> RB>
> 0x9d697166114f24b438033148c5fee2f1f61fee68dfede623f8153a003ccc7b42184e
> RB> MS-MPPE-Send-Key =
> RB> 0x9d6e1d8b88bee44b8268cb5e16c44f69d568ca904ae4775abfce6
> RB> 4a1eaaa7c29dfd8
> RB> MS-MPPE-Encryption-Policy = 0x00000001
> RB> MS-MPPE-Encryption-Types = 0x00000004
> RB> Finished request 3
> RB> Going to the next request
>
> RB>
> ______________________________________________________________
> ______________
> RB> ____________
> RB> --- Walking the entire request list ---
> >> -----Original Message-----
> >> From: 3APA3A [mailto:[EMAIL PROTECTED]]
> >> Sent: 24 ������ 2003 �. 18:24
> >> To: Roman Bessyadovskii
> >> Subject: Re[5]: sql and MSCHAP and disabling user.
> >>
> >>
> >> Dear Roman Bessyadovskii,
> >>
> >> Send logs with SMB-Account-CTRL := 17.
> >>
> >>
> >> --Friday, January 24, 2003, 6:00:09 PM, you wrote to
> >> [EMAIL PROTECTED]:
> >>
> >> RB> Sure :=. That's what i set.
> >>
> >> RB> And solution 1, as time show not enought good for me.
> >> RB> I whant to aothorize vpn users (MS-CHAP) and Squid
> users with same
> >> RB> passwords. (User can access internet via vpn or via
> >> squid), and when i
> >> RB> comment authtype = MS-CHAP in radiusd.conf and insert
> >> Auth-Type = MS-CHAP in
> >> RB> radacct then squid users can-t login, because SQUID not
> >> use MS-CHAP...
> >>
> >> >> -----Original Message-----
> >> >> From: 3APA3A [mailto:[EMAIL PROTECTED]]
> >> >> Sent: 24 ������ 2003 �. 17:15
> >> >> To: [EMAIL PROTECTED]; Roman Bessyadovskii
> >> >> Cc: [EMAIL PROTECTED]
> >> >> Subject: Re[3]: sql and MSCHAP and disabling user.
> >> >>
> >> >>
> >> >> Dear Roman Bessyadovskii,
> >> >>
> >> >> Any of SMB-Account-CTRL, User-Password and Auth-Type
> >> >> attributes should
> >> >> present with :=, not == operation.
> >> >>
> >> >> --Friday, January 24, 2003, 4:47:46 PM, you wrote to
> >> >> [EMAIL PROTECTED]:
> >> >>
> >> >> RB> Ok, solution 1 is good enought, and i can solve
> >> problem with it.
> >> >> RB> But solution 2 (with SMB-Account-CTRL) not work for me.
> >> >>
> >> >> RB> I set SMB-Account-CTRL := 16 (17) In radcheck and in
> >> >> radreply, but ther is
> >> >> RB> no effect on authorisation process.
> >> >>
> >> >>
> >> >>
> >> >> RB> At this moment i don't clearly understand process of
> >> >> Authorization,
> >> >> RB> Authentication.
> >> >> RB> I have read doc/aaa.txt (How Authorization,
> >> >> Authentication, and Accounting
> >> >> RB> requests are handled) file but some corners is dark at
> >> this time.
> >> >>
> >> >> RB> for example
> >> >> RB> radius recive access request with some Attribute -
> Value pairs.
> >> >> RB> Server begins Authorisation process - collect data about
> >> >> user, by calling
> >> >> RB> modules from authorize section.
> >> >> RB> So, question, why important order of check modules ? As i
> >> >> write in early
> >> >> RB> letter, i switching sql and mschap module and user recive
> >> >> Access Deniend.
> >> >>
> >> >> RB> or another question
> >> >> RB> When i specify some attributes in sql DB in radreply -
> >> >> would that attributes
> >> >> RB> be included in Reply Message to the client? If so, how
> >> >> SMB-Account-CTRL
> >> >> RB> would be considered if radius return Access-Accept?
> >> >>
> >> >>
> >> >> >> -----Original Message-----
> >> >> >> From: 3APA3A [mailto:[EMAIL PROTECTED]]
> >> >> >> Sent: 24 ������ 2003 �. 12:28
> >> >> >> To: [EMAIL PROTECTED]; Roman
> Bessyadovskii
> >> >> >> Cc: [EMAIL PROTECTED]
> >> >> >> Subject: Re: sql and MSCHAP and disabling user.
> >> >> >>
> >> >> >>
> >> >> >> Dear Roman Bessyadovskii,
> >> >> >>
> >> >> >> Including mschap into authorize{} section with "authtype"
> >> >> >> configured in
> >> >> >> mschap module configuration informs mschap
> module
> >> >> >> it should
> >> >> >> automatically detect MS-CHAP handshake and set auth to
> >> >> >> MS-CHAP if one is
> >> >> >> found.
> >> >> >>
> >> >> >> I see 2 possible solutions:
> >> >> >> 1. Remove authtype in mschap configuration. If you need
> >> >> >> both PAP and
> >> >> >> MS-CHAP to work you can create authenticate{} group from pap
> >> >> >> and mschap.
> >> >> >> 2. Add SMB-Account-CTRL parameter.
> >> >> >>
> >> >> >> SMB-Account-CTRL should be 16 for normal account, 17 for
> >> >> >> disabled account
> >> >> >> and 1025 for auto locked account. In general case it's
> >> >> >> combination
> >> >> >> of OR'ed flags:
> >> >> >>
> >> >> >> #define ACB_DISABLED 0x0001 /* 1 = User account
> disabled */
> >> >> >> #define ACB_HOMDIRREQ 0x0002 /* 1 = Home directory
> required */
> >> >> >> #define ACB_PWNOTREQ 0x0004 /* 1 = User password not
> >> required */
> >> >> >> #define ACB_TEMPDUP 0x0008 /* 1 = Temporary duplicate
> >> >> account */
> >> >> >> #define ACB_NORMAL 0x0010 /* 1 = Normal user account */
> >> >> >> #define ACB_MNS 0x0020 /* 1 = MNS logon user
> account */
> >> >> >> #define ACB_DOMTRUST 0x0040 /* 1 = Interdomain trust
> >> account */
> >> >> >> #define ACB_WSTRUST 0x0080 /* 1 = Workstation trust
> >> account */
> >> >> >> #define ACB_SVRTRUST 0x0100 /* 1 = Server trust account */
> >> >> >> #define ACB_PWNOEXP 0x0200 /* 1 = User password does
> >> >> not expire */
> >> >> >> #define ACB_AUTOLOCK 0x0400 /* 1 = Account auto locked */
> >> >> >>
> >> >> >> (ACB_NORMAL should always present, otherwise account
> is ignored)
> >> >> >>
> >> >> >> Having SMB-Account-CTRL gives you additional advantage,
> >> >> >> because you
> >> >> >> Windows users will get valid message ("account disabled"
> >> >> >> or "account
> >> >> >> locked out") instead of "invalid password".
> >> >> >>
> >> >> >> --Friday, January 24, 2003, 10:45:15 AM, you wrote to
> >> >> >> [EMAIL PROTECTED]:
> >> >> >>
> >> >> >> RB> Hi All.
> >> >> >>
> >> >> >> RB> I need to setup vpn server with radius login and store
> >> >> >> passwords in sql.
> >> >> >> RB> I have install all correctly (poptop, ppp, freeradius,
> >> >> mysql), and
> >> >> >> RB> configure, users can connect, and go throw the vpn.
> >> >> >>
> >> >> >> RB> And, i what to temporary disable user, but i can't.
> >> >> >>
> >> >> >> RB> That's what i do.
> >> >> >>
> >> >> >> RB> mysql> select * from radcheck;
> >> >> >> RB> +----+----------+---------------+----+--------+
> >> >> >> RB> | id | UserName | Attribute | op | Value |
> >> >> >> RB> +----+----------+---------------+----+--------+
> >> >> >> RB> | 1 | test | User-Password | == | test |
> >> >> >> RB> | 2 | test | Auth-Type | == | Reject |
> >> >> >> RB> +----+----------+---------------+----+--------+
> >> >> >>
> >> >> >> >>From radiusd.conf :
> >> >> >> RB> authorize {
> >> >> >> RB> preprocess
> >> >> >> RB> chap
> >> >> >> RB> suffix
> >> >> >> RB> sql
> >> >> >> RB> #
> >> >> >> RB> # If the users are logging in with an
> >> >> MS-CHAP-Challenge
> >> >> >> RB> # attribute for authentication, the mschap
> >> >> >> module will find
> >> >> >> RB> # the MS-CHAP-Challenge attribute, and add
> >> >> >> 'Auth-Type := MS-CHAP'
> >> >> >> RB> # to the request, which will cause the
> server to
> >> >> >> then use
> >> >> >> RB> # the mschap module for authentication.
> >> >> >> RB> mschap
> >> >> >>
> >> >> >> RB> }
> >> >> >>
> >> >> >> RB> As describd in comment, MS-CHAP add (or rewrite)
> >> >> >> Auth-Type for MS-CHAP and
> >> >> >> RB> user can login independent of Reject in sql table.
> >> >> >>
> >> >> >> RB> If in authorize section i switch sql and mschap module
> >> >> >> and set next order
> >> >> >> RB> authorize {
> >> >> >> RB> ...
> >> >> >> RB> mschap
> >> >> >> RB> sql
> >> >> >> RB> }
> >> >> >>
> >> >> >> RB> In that configuration i recive reject if disble user in
> >> >> >> sql table, but also
> >> >> >> RB> recive reject with normal (not disabled users) with
> >> >> >> following log (radiusd
> >> >> >> RB> -X).
> >> >> >>
> >> >> >> RB> rlm_sql (sql): Released sql socket id: 4
> >> >> >> RB> modcall[authorize]: module "sql" returns ok
> >> >> >> RB> modcall: group authorize returns ok
> >> >> >> RB> rad_check_password: Found Auth-Type MS-CHAP
> >> >> >> RB> auth: type "MS-CHAP"
> >> >> >> RB> modcall: entering group authtype
> >> >> >> RB> rlm_mschap: No LM/NT password configured. Check
> >> authorization.
> >> >> >> RB> modcall[authenticate]: module "mschap" returns invalid
> >> >> >> RB> modcall: group authtype returns invalid
> >> >> >> RB> auth: Failed to validate the user.
> >> >> >> RB> Login incorrect: [test/<no User-Password attribute>]
> >> >> >> (from client localhost
> >> >> >> RB> port 0)
> >> >> >> RB> Delaying request 0 for 1 seconds
> >> >> >>
> >> >> >> RB> How i need to configure radius for propertly work?
> >> >> >> RB> Or how i can disable user in that configuration?
> >> >> >>
> >> >> >> RB> Thaks.
> >> >> >>
> >> >> >> RB> Rick.
> >> >> >>
>
> >>
>
> RB> -
> RB> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
>
> --
> ~/ZARAZA
> ���� ��� �� ����������� (�. ���)
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
