hi, i'm currently using extreme networks switches (black diamonds, alpines,...) with epicenter and radius login. now i need to setup a secondary radius server and i installed freeradius (v0.9.3) on one of our gentoo linux servers. the epicenter is configured as primary radius-server on the switches. during my tests i just disabled epicenter, didn't change the setup on the switches (except for secondary server).
i've set up freeradius with one user who is already able to login.
the problem i'm facing is, that this user should be admin on the
switches, but even when setting "Service-Type = Administrative-User" i
don't have the rights to do anything on the switch.
/etc/raddb/myuserfile:
user1 Auth-Type := System, Crypt-Password ==
"$1$Q8ddOA63$qwR8llXXIpTgmZ9Y8VwVr/", Service-Type == "Administrative-User"
this is the output of one login attempt via telnet (radiusd -sfxxyz -l
stdout):
Code:
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /etc/raddb/proxy.conf
Config: including file: /etc/raddb/clients.conf
Config: including file: /etc/raddb/snmp.conf
main: prefix = "/usr"
main: localstatedir = "/var"
main: logdir = "/var/log/radius"
main: libdir = "/usr/lib"
main: radacctdir = "/var/log/radius/radacct"
main: hostname_lookups = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = "/var/log/radius/radius.log"
main: log_auth = yes
main: log_auth_badpass = yes
main: log_auth_goodpass = yes
main: pidfile = "/var/run/radiusd/radiusd.pid"
main: user = "radiusd"
main: group = "radiusd"
main: usercollide = no
main: lower_user = "no"
main: lower_pass = "no"
main: nospace_user = "no"
main: nospace_pass = "no"
main: checkrad = "/usr/sbin/checkrad"
main: proxy_requests = no
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: post_proxy_authorize = yes
proxy: wake_all_if_all_dead = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /usr/lib
Module: Loaded preprocess
preprocess: huntgroups = "/etc/raddb/huntgroups"
preprocess: hints = "/etc/raddb/hints"
preprocess: with_ascend_hack = no
preprocess: ascend_channels_per_line = 23
preprocess: with_ntdomain_hack = no
preprocess: with_specialix_jetstream_hack = no
preprocess: with_cisco_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded detail
detail: detailfile =
"/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d"
detail: detailperm = 384
detail: dirperm = 493
detail: locking = no
Module: Instantiated detail (auth_log)
Module: Loaded files
files: usersfile = "/etc/raddb/users"
files: acctusersfile = "/etc/raddb/acct_users"
files: preproxy_usersfile = "/etc/raddb/preproxy_users"
files: compat = "no"
Module: Instantiated files (files)
Module: Loaded Acct-Unique-Session-Id
acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port-Id"
Module: Instantiated acct_unique (acct_unique)
detail: detailfile =
"/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
detail: detailperm = 384
detail: dirperm = 493
detail: locking = no
Module: Instantiated detail (detail)
Module: Loaded radutmp
radutmp: filename = "/var/log/radius/radutmp"
radutmp: username = "%{User-Name}"
radutmp: case_sensitive = yes
radutmp: check_with_nas = yes
radutmp: perm = 384
radutmp: callerid = yes
Module: Instantiated radutmp (radutmp)
Listening on IP address *, ports 1812/udp and 1813/udp.
Ready to process requests.
rad_recv: Access-Request packet from host 10.6.0.1:1279, id=208, length=82
User-Name = "user1"
User-Password = "password"
NAS-IP-Address = 10.6.0.1
Service-Type = Login-User
Calling-Station-Id = "212.xx.xx.xx"
NAS-Port-Type = Virtual
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
radius_xlat: '/var/log/radius/radacct/10.6.0.1/auth-detail-20040324'
rlm_detail:
/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands
to /var/log/radius/ra
dacct/10.6.0.1/auth-detail-20040324
modcall[authorize]: module "auth_log" returns ok for request 0
modcall[authorize]: module "files" returns notfound for request 0
modcall: group authorize returns ok for request 0
auth: No authenticate method (Auth-Type) configuration found for the
request: Rejecting the user
auth: Failed to validate the user.
Login incorrect: [user1/password] (from client switches
port 0 cli 212.xx.xx.xx)
WARNING: Unprintable characters in the password. ? Double-check the
shared secret on the server and the NAS!
Delaying request 0 for 1 seconds
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Sending Access-Reject of id 208 to 10.6.0.1:1279
Waking up in 4 seconds...
rad_recv: Access-Request packet from host 10.6.0.1:1280, id=28, length=82
User-Name = "user1"
User-Password = "password"
NAS-IP-Address = 10.6.0.1
Service-Type = Administrative-User
Calling-Station-Id = "212.xx.xx.xx"
NAS-Port-Type = Virtual
modcall: entering group authorize for request 1
modcall[authorize]: module "preprocess" returns ok for request 1
radius_xlat: '/var/log/radius/radacct/10.6.0.1/auth-detail-20040324'
rlm_detail:
/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands
to /var/log/radius/ra dacct/10.6.0.1/auth-detail-20040324
modcall[authorize]: module "auth_log" returns ok for request 1
users: Matched user1 at 1
modcall[authorize]: module "files" returns ok for request 1
modcall: group authorize returns ok for request 1
rad_check_password: Found Auth-Type System
auth: type Crypt
Login OK: [user1/password] (from client switches port 0 cli 212.xx.xx.xx)
Sending Access-Accept of id 28 to 10.6.0.1:1280
Finished request 1
Going to the next request
Waking up in 4 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 208 with timestamp 4061a032
Waking up in 2 seconds...
--- Walking the entire request list ---
Cleaning up request 1 ID 28 with timestamp 4061a034
Nothing to do. Sleeping until we see a request.
it is strange, that one telnet login attempt triggers 2 accesses, where
the first one is "Service-Type = Login-User" with a warning that the
shared secret is wrong (which isn't).
so it is likely that i have misconfigured something, but i just don't
find the problem...
i also found this
http://lists.cistron.nl/pipermail/freeradius-users/2002-November/013423.html
but it there was no solution for me.
thx for any hint,
JG
pgp00000.pgp
Description: PGP signature
