[Auth Problem] FreeRADIUS with GnuGK and ATA

[ByoungJu Jeon]

Hi,

I am now in using FreeRADIUS 1.0.5  with ATA 188 v3.1.2 and GunGK 2.2.2_4 on 
FreeBSD 6.0.
When GnuGK send Access Request for ATA, RADIUS reject it.
You can check the log from FreeRADIUS as below.

When authorization, RADIUS set Auth-Type as CHAP. (In the log, you can see 
"rlm_chap: Setting 'Auth-Type := CHAP'".) But when authentication, RADIUS 
set Auth-Type as Reject. (In the log, you can see "rad_check_password:  
Found Auth-Type Reject".) I don't know why Auth-Type is changed.

Could you tell me what I am wrong in configuration?

Thanks in advance.
Bye.

BJ.

=========================== The log from FreeRADIUS 
===========================
rad_recv: Access-Request packet from host 152.102.50.225:64821, id=117, 
length=145
       User-Name = "happian"
       CHAP-Password = 0x04b3d9e7363592e0e15a4fc9c7ec90e627
       CHAP-Challenge = 0x43c44e1a
       NAS-IP-Address = 152.102.50.225
       NAS-Identifier = "Gatekeeper"
       NAS-Port-Type = Virtual
       Service-Type = Login-User
       Framed-IP-Address = 152.102.50.223
       Cisco-AVPair = "h323-ivr-out=terminal-alias:happian,0175722139;"
 Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 5
radius_xlat:  '/var/log/radius/radacct//auth-detail-20060111'
rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d 
expands to /var/log/radius/radacct//auth-detail-20060111
 modcall[authorize]: module "auth_log" returns ok for request 5
 rlm_chap: Setting 'Auth-Type := CHAP'
 modcall[authorize]: module "chap" returns ok for request 5
radius_xlat:  'happian'
rlm_sql (sql): sql_set_user escaped user --> 'happian'
radius_xlat:  'SELECT id, 'happian', attrname, attrvalue, attrop FROM 
??radius_get_check_attrs('happian', NULLIF('152.102.50.223', '
')::INET, ???CASE ????WHEN '' = '' THEN TRUE ????ELSE FALSE ???END, ???CASE 
WHEN 'Login-User' = 'Call-Check' THEN TRUE ELSE FALSE EN D, ???'', 
NULLIF('',''), 
???parse_avpair('h323-ivr-out=3Dterminal-alias:happian=2C0175722139=3B', 
'h323-ivr-out', 'terminal-alias') ???)'
rlm_sql (sql): Reserving sql socket id: 4
rlm_sql_postgresql: query: SELECT id, 'happian', attrname, attrvalue, attrop 
FROM ??radius_get_check_attrs('happian', NULLIF('152.10 2.50.223', 
'')::INET, ???CASE ????WHEN '' = '' THEN TRUE ????ELSE FALSE ???END, ???CASE 
WHEN 'Login-User' = 'Call-Check' THEN TRUE E LSE FALSE END, ???'', 
NULLIF('',''), 
???parse_avpair('h323-ivr-out=3Dterminal-alias:happian=2C0175722139=3B', 
'h323-ivr-out', 'termi
nal-alias') ???)
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: affected rows =
radius_xlat:  ''
radius_xlat:  'SELECT id, 'happian', attrname, attrvalue, attrop FROM 
??radius_get_reply_attrs('happian', NULLIF('152.102.50.223', '
')::INET, ???CASE ????WHEN '' = '' THEN TRUE ????ELSE FALSE ???END, ???CASE 
WHEN 'Login-User' = 'Call-Check' THEN TRUE ELSE FALSE EN D, ???'', 
NULLIF('',''), 
???parse_avpair('h323-ivr-out=3Dterminal-alias:happian=2C0175722139=3B', 
'h323-ivr-out', 'terminal-alias') ???)'
rlm_sql_postgresql: query: SELECT id, 'happian', attrname, attrvalue, attrop 
FROM ??radius_get_reply_attrs('happian', NULLIF('152.10 2.50.223', 
'')::INET, ???CASE ????WHEN '' = '' THEN TRUE ????ELSE FALSE ???END, ???CASE 
WHEN 'Login-User' = 'Call-Check' THEN TRUE E LSE FALSE END, ???'', 
NULLIF('',''), 
???parse_avpair('h323-ivr-out=3Dterminal-alias:happian=2C0175722139=3B', 
'h323-ivr-out', 'termi
nal-alias') ???)
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: affected rows =
radius_xlat:  ''
rlm_sql (sql): Released sql socket id: 4
 modcall[authorize]: module "sql" returns ok for request 5
modcall: group authorize returns ok for request 5
 rad_check_password:  Found Auth-Type Reject
 rad_check_password: Auth-Type = Reject, rejecting user
auth: Failed to validate the user.
Login incorrect: [happian/<CHAP-Password>] (from client Gatekeeper port 0) 
Sending Access-Reject of id 117 to 152.102.50.225:64821 Finished request 5 
======================================================================

=========================== radiusd.conf =========================== prefix 
= /usr/local exec_prefix = ${prefix} sysconfdir = ${prefix}/etc 
localstatedir = /var sbindir = ${exec_prefix}/sbin logdir = 
${localstatedir}/log/radius raddbdir = ${sysconfdir}/raddb radacctdir = 
${logdir}/radacct confdir = ${raddbdir} run_dir = ${localstatedir}/run/ 
log_file = ${logdir}/radius.log libdir = ${exec_prefix}/lib pidfile = 
${run_dir}/radiusd.pid max_request_time = 30 delete_blocked_requests = no 
cleanup_delay = 5 max_requests = 1024 bind_address = * port = 0 
hostname_lookups = no allow_core_dumps = no
regular_expressions     = yes
extended_expressions    = yes
log_stripped_names = yes
log_auth = yes
log_auth_badpass = yes
log_auth_goodpass = yes
usercollide = no
lower_user = no
lower_pass = no
nospace_user = no
nospace_pass = no
checkrad = ${sbindir}/checkrad

security {
        max_attributes = 200
        reject_delay = 0
        status_server = no
}

proxy_requests  = no

$INCLUDE  ${confdir}/clients.conf

snmp    = no

thread pool {
        start_servers = 2
        max_servers = 5
        min_spare_servers = 1
        max_spare_servers = 2
        max_requests_per_server = 0
}

modules {
        chap {
                authtype = CHAP
        }

        preprocess {
                with_ascend_hack = no
                ascend_channels_per_line = 23
                with_ntdomain_hack = no
                with_specialix_jetstream_hack = no
                with_cisco_vsa_hack = yes
        }

        detail {
                detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d
                detailperm = 0600
        }

        detail auth_log {
                detailfile = 
${radacctdir}/%{Client-IP-Address}/auth-detail-%Y%m%d
                detailperm = 0600
        }

        detail reply_log {
                detailfile = 
${radacctdir}/%{Client-IP-Address}/reply-detail-%Y%m%d
                detailperm = 0600
        }

        acct_unique {
		key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, 
NAS-Port-Id"
        }

        $INCLUDE  ${confdir}/postgresql.conf

        radutmp {
                filename = ${logdir}/radutmp
                username = %{User-Name}
                case_sensitive = yes
                check_with_nas = yes
                perm = 0600
                callerid = "yes"
        }

        radutmp sradutmp {
                filename = ${logdir}/sradutmp
                perm = 0644
                callerid = "no"
        }

        expr {
        }

        digest {
        }

        exec {
                wait = yes
                input_pairs = request
        }

        exec echo {
                wait = yes
                program = "/bin/echo %{User-Name}"
                input_pairs = request
                output_pairs = reply
        }

        ippool main_pool {
                range-start = 192.168.1.1
                range-stop = 192.168.3.254
                netmask = 255.255.255.0
                cache-size = 800
                session-db = ${raddbdir}/db.ippool
                ip-index = ${raddbdir}/db.ipindex
                override = no
        }
}

instantiate {
        expr
}

authorize {
        preprocess
        auth_log
        chap
        sql
}

authenticate {
        Auth-Type CHAP {
                chap
        }
}

preacct {
}

accounting {
        acct_unique
        sql
}

session {
}

post-auth {
        reply_log
}

pre-proxy {
}

post-proxy {
}
=====================================================================


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html